The IB Times UK is reporting that their own tests show the Samsung Galaxy SIII (or S3, if you prefer) currently cannot tell the difference between a picture of the phone’s owner and a living, breathing user. Consequently, their recommendation is that some other way of securing the phone should be used in lieu of the face unlock feature.
For businesses, it probably means that the face unlock feature should be disabled for any company-issued devices, and possibly for any user-devices brought in as a corporate “consumerization of IT” strategy (which can be done easily via a BYOD MDM program).
Past Issues Fixed by “Blinking”
This problem sounds not unlike the problems that fingerprint biometric sensor manufacturers used to face: as seen in countless movies, the initial versions of the security tool could be easily bypassed by using a photocopy or picture of an authorized user’s fingerprint, or by “dusting” the last user’s fingerprint.
Such bypasses were countered by measuring pressure (when pressing down on the sensor), temperature, capacitance (the body’s natural charge that allows the iPhone to register activity on the screen, for example), moisture, and other factors. These, however, were also easily defeated, such as by “breathing” on the sensor before putting a cutout of a thumbprint on top of the sensor and pressing down on it with a gloved thumb. I mentioned in a previous post how the guys at Discovery Channel’s Mythbusters had an entire episode devoted to such hijinks.
For the Android phones, Google tried to fix the issue by requiring motion (ibtimes.co.uk):
Android 4.0 Ice Cream Sandwich was released late last year, and it was soon discovered that its face unlock feature could be defeated with a photograph, despite Google’s Tim Bray stating on Twitter that it was not possible.
“Nope. Give us some credit,” Bray said in October, after being told by app developer Koushik Dutta that “the face recognition unlock thing is really easily hackable. Show it a photo.”
Contradictory statements. So, who’s lying? My guess is, neither one.
Let’s face it, Google’s engineers probably foresaw the potential problems with photocopied faces and whatnot, and coded a requirement that the face blink and, I don’t know, show other signs of life (makes you wonder how the use of video footage would affect it). On the other hand, no biometric solution is perfect: false positives are a reality when it comes to biometrics.
What are False Positives?
False positives, for all intents and purposes of this post, are when a non-owner is given access to the Android phone. It could be a situation where a picture of the owner gives access to the phone, once in a while. Or it could happen every time the same picture is shown. Or, it could be a situation where someone else’s face is shown and the phone provides access.
Any time access is granted but should not have been is a false positive. It’s another way of saying it’s an error.
In order to find out whether IB Times’s findings of a security failure is an instance of a false positive or a cogent underlying security issue, extensive trials would be required. Otherwise, it’d be like claiming that all US quarters are wonky because you took a random one, flipped it ten times, and got ten heads in a row.
Related Articles and Sites: