Apple this week unveiled its new iPhone X as part of the smartphone’s 10th birthday, and with it comes a host of security concerns.
One of the major features of the iPhone X (X for the roman numeral 10) is FaceID, a facial recognition feature for unlocking the phone by just looking at it.
Apple has a solid track record on personal privacy when it comes to securing its devices, but FaceID raises major issues, such as whether the tool be used against an owner’s will to gain access to their phone or what happens if a hacker steals your facial identity?
A staff attorney with the American Civil Liberties Union argued that law enforcement could use someone’s face against their will to unlock their phone, possibly without violating the person’s’ Fifth Amendment right against self-incrimination.
Carrie Leonetti, a law professor at the University of Oregon who specializes in emerging technology, agreed. She said FaceID and TouchID carry less constitutional protection than former methods for securing one’s phone.
“There’s at least a very open question if [police] said, ‘Tell us your iPhone password.’ You could successfully assert your Fifth Amendment privilege,” Leonetti said. “The Fifth Amendment protects communication and probably thought processes. It does not protect other tangible things, like your fingerprints or your face.”
Apple offers two ways to bypass this sticky situation. The new iOS 11 operating software added two security features to keep thieves or law enforcement from accessing your data.
The first is “SOS mode,” which allows panicked users to disable FaceID or TouchID by pressing the power button five times. The second requires a user to enter the phone’s passcode in order to trust a connection with a new computer, making it much more difficult to extract data from an unlocked phone.
Hacking your face
FaceID could usher in a new age of personal digital security, but in the age of 3D printing and Equifax breaches, could some enterprising hacker swipe your facial credentials and use them for bad deeds? To understand the answer, you first have to comprehend how the technology works.
FaceID starts with a scan of a person’s face. It creates a 3D map by projecting 30,000 infrared dots onto your face every time you open your phone. This facial map refines itself whenever you open your phone, building more detailed credentials with each time.
Apple executives said a 3D projection of dots avoids problematic situations — like the one raised with the Samsung Galaxy Note 8. One web developer gained access to a Galaxy Note 8 by simply holding up a selfie of the phone’s owner.
Confirmed: I’m also able to unlock the Samsung Galaxy Note 8 with people’s Facebook profile pics and Instagram selfies from my iPhone… https://t.co/BeEMYxHu5Z
— Mel Tajon (@MelTajon) September 4, 2017
3D facial recognition prevents this type of hack, but it isn’t foolproof. Researchers at the University of North Carolina beat four different versions of these recognition apps by creating 3D facial models based on publicly available photos found on websites like Facebook and Linkedin.
By using a heat-detecting infrared camera, Apple may have avoided hackers using this method, but FaceID could be exploited in other ways.
Windows Hello, another facial recognition app that uses infrared technology, is considered one of the most secure on the market, but in 2015, Berlin-based SR Labs used a plaster mold of a person’s face to break the security lock.
Despite these blips, Apple remains confident. During the iPhone X unveiling, Apple senior vice president Phil Schiller said his company worked with Hollywood makeup artists to test against hacker-made masks.
Schiller claimed the chance of a random person unlocking a device is one in a million, though he added “the statistics are lower if the person shares a close genetic relationship with you.”
The possibility did not go unnoticed on Twitter. Former Housing and Urban Development Secretary Julian Castro joked that he would let Apple know if his identical twin brother, Texas Rep. Joaquin Castro, could unlock his phone. “This should be fun,” Julian Castro tweeted.
— Julián Castro (@JulianCastro) September 12, 2017
Most security experts agree that if you want to ensure your phone’s security, make sure to use a six-digit pin. This tactic still remains the most private and secure way to protect one’s phone, and it can be easily changed. The same cannot be said for one’s face.