Apple launched the £999 iPhone X last night, laying to rest the decade-old home button but more importantly, bringing out a new biometric authentication feature that could revolutionise the way customer data is stored.
Apple says there’s one in a million chance of someone cracking Face ID but security experts are still far from satisfied.
At first glance, Face ID, the new biometric authentication feature in iPhone X that Apple introduced at the Steve Jobs Theatre last night, seems to be more complex than Touch ID, considering it maps out a person’s facial features rather than a mere fingerprint. On its part, Apple went to great lengths to convince its fans that the feature is strong enough and secure enough to withstand the efforts of cyber criminals.
Firstly, Face ID uses the TrueDepth camera system’s infrared camera along with proximity and light sensors to detect and map out the face of an iPhone X user. The system also utilizes specialised hardware and a flood illuminator to create 30,000 invisible dots which can go a long way in mapping a user’s unique facial features. Like Apple says, unless you have an evil twin, you have no reason to worry.
While testing Face ID, Apple made sure the facial recognition feature, unlike its predecessors from other tech giants, didn’t fall for well-lit photographs or other faces that had similar features. The company even tested the software against face masks that mimic the unique features of a human face.
The software is also tuned to open only when a user is directly looking at his iPhone X, helping the user unlock his iPhone with a mere glance. While it seems that the software may survive questions on its credibility until it is updated with new features in upcoming iPhone models, security researchers believe they still don’t have the kind of information on the device’ software or hardware to verify Face ID as completely secure.
Following the 2015 San Bernardino terrorist attack, Apple absolutely refused to help the FBI crack a terrorist’s iPhone which was supposed to contain a lot of information concerning the terror attack. At that time, the case dragged so far only because the terrorist’s iPhone was secured by a security PIN which the FBI couldn’t figure out.
Security experts are now concerned that the FBI or the police won’t face as much trouble unlocking the iPhone X since Face ID would unlock a device as soon as its owner’s face is produced before it. Another concern is that the US government may now cite the Patriot Act to request facial biometrics of iPhone users from Apple as and when it feels like.
However, things shouldn’t turn out to be as bad as they seem to be. Mark Rogers, the Head of Infosecurity at CloudFare, believes that Face ID comes with a liveness test that involves users keeping their eyes open while unlocking their iPhones. This should make it impossible for the FBI to unlock an iPhone X using a dead terrorist’s face, or for that matter, impossible for anyone to kill someone and access their £1000 gadgets.
Edward Snowden is equally positive about Apple’s new facial recognition feature. He terms the technology as ‘a clever design that avoids some common flaws’ and that according to his sources, it comes with a panic disable feature just like TouchID did. To activate the panic disable, a user needs to tap the power/side button five times. Once it is activated it won’t be possible for the user to unlock his iPhone just by glancing at it.
However, he also warned that Apple’s introduction of the facial recognition software normalises facial scanning which is now certain to be abused by cyber criminals.
As far as a repeat of the San Bernardino incident is concerned, Oleg Afonin of security firm Elcomsoft believes that even if security agencies are able to unlock someone’s iPhone X, it would be tough for them to obtain any actional data from the device.
‘For the mobile forensic specialist, one of the most compelling changes in iOS 11 is the new way to establish trust relationship between the iOS device and the computer,’ Alfonin said.
When an iPhone running iOS 11 is connected to a computer, it will first ask the user to respond to a “Trust this computer?” prompt. Once this is confirmed, ‘the device will ask to enter the passcode in order to complete pairing. This, in turn, requires forensic experts to know the passcode; Touch ID alone can no longer be used to unlock the device and perform logical acquisition’.
‘This change is very important from the legal standpoint. While in certain cases the user may be compelled to unlock their device using their fingerprint, obtaining the passcode from the user may be challenging and, in many jurisdictions, not legally possible,’ he added.
Despite this saving grace, it may not be possible for Face ID to remain secure forever. Stephen Cox, Chief Security Architect at SecureAuth, believes that even though Face ID is secure enough and will not be fooled by pictures or other methods, the hacker community may fervently try to defeat it and may come up with a solution sooner or later.
‘Still, no single authentication technique is beyond the reach of attackers. Devices will be hacked and sensors will be tricked. It is important to layer such technology with adaptive authentication methods, such as IP reputation, phone number fraud prevention capabilities or behavioural biometrics. Security is very much about layers,’ he added.