six colors

by Jason Snell & Dan Moren

This week's sponsor

Six Colors Shirt! Our official (six-color) t-shirt is back on sale for a limited time.

Linked by Dan Moren

Report: Hackers have tricked Face ID with a cheap mask

Writing at Wired, Andy Greenberg covers claims that hackers have already broken Face ID on the iPhone X:

On Friday, Vietnamese security firm Bkav released a blog post and video showing that—by all appearances—they’d cracked Face ID with a composite mask of 3-D-printed plastic, silicone, makeup, and simple paper cutouts, which in combination tricked an iPhone X into unlocking. That demonstration, which has yet to be confirmed publicly by other security researchers, could poke a hole in the expensive security of the iPhone X, particularly given that the researchers say their mask cost just $150 to make.

First thing’s first: this was inevitable. Nobody’s yet invented the security measure that can’t be beaten.1 The real question is “how vulnerable is the system?” and, in this case, despite the low cited cost, the chances that this will be deployed against the average person is pretty low. Not least of all because it seems to require several minutes of scanning someone’s face. If you have that much access to someone’s face, there are far easier ways of opening their phones, with or without their cooperation.

But, look, most people are not going to be at risk here, anymore than the average person was at risk from someone duplicating their fingerprint. If you’re a high profile person who’s likely to be targeted by thieves or intelligence agencies, then, yes, you should probably be taking extra precautions, but the rest of us are plenty fine using Face ID, Touch ID, or even a six-digit passcode.2 But there’s no question that Face ID is tougher than many previous attempts at face-based security.


  1. Touch ID has been broken multiple times, but everybody keeps using it. Why? Because even if it can be beaten, it walks that line between security and convenience.  ↩

  2. Because you’re not still using a four-digit passcode, right? ↩