If A Phone's Facial Recognition Security Can Be Defeated By A Picture Of A Face, What Good Is It?
from the a-thousand-logins dept
No technology is perfect and facial recognition software is obviously no exception. But whereas law enforcement groups use this flawed technology in too many instances, device manufacturers are beginning to ship out security features that rely on facial recognition software almost ubiquitously. Many might look at this modern technology and imagine defeating it and logging into another person's phone would resemble some kind of Mission Impossible style convolution. Sadly, as proven again recently with the release of Samsung's Galaxy S8, defeating the security feature is laughably simple.
With the public's first exposure to the Galaxy S8 happening a few days ago, it was only a matter of time until one of these biometric solutions had some holes poked in it.
One of those holes is that Galaxy S8's face recognition can be tricked with a photo. At least this is what a video from Spanish Periscope user Marcianophone purports. About 6 minutes into the 40-minute Spanish-language video, you can see the attendee take a selfie with his personal phone, then point it at the Galaxy S8, which is trained to unlock with his face. It only takes a few minutes of fiddling before the Galaxy S8 gives in and unlocks with just a picture, moving from the "secure" lock screen right to the home screen. Once the user dials in his technique, he shows the trick is easily repeatable.
This trick actually goes back quite a ways to earlier versions of the Android OS. Google had attempted to defeat this workaround by requiring users to blink during the facial recognition scan. That was almost immediately defeated by phone-breakers having to have two pictures instead of one, including one with the persons eyes closed and then switching between pictures during the scan. If you aren't laughing as you're picturing this in your head, your sense of humor is broken, because it's fairly hilarious.
Less funny is the obvious question: why bother with this stuff at all if it's so easily defeated? Samsung, to its credit, doesn't allow facial recognition to authorize Samsung purchases. If it's not good enough for that, why should it be good enough to serve as a locking mechanism for the phone at all? Other locks, including other biometric locks, perform far better. Maybe it would be best to table this security feature until it's, you know, secure.