Security Musings Around iPhone X and Face ID

Today marked an important event for Apple enthusiasts (and anti-enthusiasts) around the globe. Apple delivered on the widely speculated announcement that new Apple Watch, Apple TV, and iPhone devices are forthcoming. Let’s be honest, Apple hardware is usually pretty solid and typically outlasts similarly priced or feature-rich alternatives. Even if many of the features aren’t that original and/or stray away from the historic or future specifications we technologists crave, many of us still utilize Apple devices simply because they utilize quality hardware and remain within support far beyond their modern competitors. All of this said, this post focuses on the security impacts of some of the hardware changes announced today.

Face ID

First things first, I am personally a bit put off by the idea of facial recognition as the sole biometric I/O in the iPhone X; however, before I ramble-on too far, there are a few things to make clear:

  • Face ID is only available on the iPhone X, the other two devices announced today (iPhone 8 and 8 Plus) still utilize Touch ID.

  • I have not had the ability to test Face ID yet, thus these thoughts are simply anecdotal.

  • Although I’ve tested, used, and defeated other facial/eye verification services previously, I do believe Apple will deliver on Phil Schiller’s promise that 2D/3D replicas (such as the one that recently spoofed the Samsung Note 8: https://9to5google.com/2017/09/05/samsung-galaxy-note-8-face-recognition-fail) will be generally thwarted.

Phil Schiller advised Apple worked with realistic mask and makeup artists for spoof testing.

So now that the table is set… where do the problems begin? Well, let’s face it (yikes, a face pun already), faces are simply terrible secrets. Alright, I do understand that the real “secret” is the digital fingerprint that Apple’s HD sensors and algorithms create from user’s facial patterns; however, let’s think about why faces are generally a bad basis for authentication.

Faces are documented everywhere.

No joke, almost every portrait photograph that is taken includes someone’s face. The last time I looked at my Photos app on my Apple device, there were literally thousands of photographs tagged to my face alone, thus could an attack surface get any more saturated?

Yea yea, I understand that Apple is doing everything it can to combat forgeries; however, I for one would not be holding my breath that Face ID will be spoof-proof. Phil himself even fleetingly noted that evil twins may be an issue.

The actual numbers of unique patterns utilized in today’s presentation compared Touch ID’s sensor at 1:50,000 vs Face ID’s array of sensors at 1:1,000,000. This is most likely due to the overall space the Face ID sensors have to analyze versus the tiny capacitive button for Touch ID. For what it’s worth, Face ID does require visual eye contact (no sleeping victim attack) and seems to currently have the similar lockout thresholds to Touch ID (see the embarrassing demo fail for evidence). Furthermore, iOS 11 does include the ability to temporarily disable Touch ID authentication via SOS Mode. It is assumed this feature will extend to all local authentication, thus Face ID should also be protected if SOS Mode is enabled.

Lastly, in my opinion Face ID and Touch ID have the same overall dangers in regard to forcing and/or tricking someone into unlocking their device.

The Face ID Code Updates

Leafing through https://developer.apple.com this evening uncovered what I generally expected… most developer documentation was migrated to a more general biometric Local Authentication Context friendly tone.

Pointedly the following are now available via LA Biometry Type:

Furthermore LocalAuthentication Enumerations such as LAError.Code are now generalized to biometric type errors such as:

in lieu of the former Touch ID specific ones.

Face ID enrollment process.
Enrollment verification.

Thus, security applications updated to take advantage of Face ID should be pretty minimal. Since the (grossly simplified) underlying return of Face ID authentication is the boolean value of isAuthenticated:True or isAuthenticated:False, thus the same as Touch ID.

Wrapping Up Thoughts on Face ID

Let’s be clear, I along with many other security enthusiasts have been screaming for the ability to enforce biometric plus a second factor. This doesn’t change with regard to the introduction of Face ID. I still strongly believe a second factor PIN/password/Token/Tag/etc would be a good mitigation for the extra security conscious. Moreover, there is still no requisite to utilize Face (or Touch) ID, thus simply forgo if you are über concerned. That said, I do believe Face ID is generally a step in the wrong direction, and that it is only a matter of time before enough external data will be combined to side-step this control.

2 Replies to “Security Musings Around iPhone X and Face ID”

Leave a Reply