There are countless reasons you might not want a 10-year-old to have access to your new $1000 smartphone.
And, after setting up Apple’s FaceID, Staten Island mom Sana Sherwani joked there was ‘no way’ her son could get into it now.
Unfortunately, however, the authentication system didn’t work as planned.
In a video posted to YouTube, the shocked parents have revealed how Apple’s FaceID registers both Sherwani’s face and that of her son Ammar, allowing the fifth-grader instant access to his mom’s phone.
In a video posted to YouTube, the shocked parents have revealed how Apple’s FaceID registers both Sana’s face and that of her son Ammar, allowing the fifth-grader instant access to his mom’s phone
WHEN FACEID FAILS
According to Apple, users must enter your passcode for additional security validation when:
- The device has just been turned on or restarted.
- The device hasn’t been unlocked for more than 48 hours.
- The passcode hasn’t been used to unlock the device in the last six and a half days and Face ID hasn’t unlocked the device in the last 4 hours.
- The device has received a remote lock command.
- After five unsuccessful attempts to match a face.
- After initiating power off/Emergency SOS by pressing and holding either volume button and the side button simultaneously for 2 seconds.
While Ammar may resemble his mother, there are numerous differences that FaceID should detect.
But, in the video, the feature can be seen unlocking the device after a glance from Sherwani, and then from Ammar.
‘We are seeing a flood of videos on YouTube from iPhone users who have gotten their hands on the new iPhone X and are trying to trick the FaceID,’ wrote Attaullah Malik on YouTube.
‘When my wife and I received our iPhone X, we had no such intention.
‘However, things changed right after we were done setting up our new iPhones on November 3rd.
‘We were sitting down in our bedroom and were just done setting up the Face IDs, our 10-year-old son walked in anxious to get his hands on the new iPhone X.
‘Right away my wife declared that he was not going to access her phone.
‘Acting exactly as a kid would do when asked to not do something, he picked up her phone and with just a glance got right in.’
According to Wired, the 10-year-old was also able to unlock his father’s phone with FaceID, but only once.
In all other attempts, the feature did not give him access.
While the parents aren’t all too concerned with the possibility of Ammar abusing the flaw, though he could theoretically ‘order ice cream for himself whenever he wanted,’ it does act as an inconvenience, Malik told Wired.
And, it highlights what could be a greater privacy issue.
As Malik notes in a post on LinkedIn, devices these days know ‘more about you than your significant other.’
While Ammar may resemble his mother, there are numerous differences that FaceID should detect. But, in the video, the feature can be seen unlocking the device after a glance from Sherwani, and then from Ammar
THE IPHONE TWIN TESTS
Mashable ran its tests with two sets of identical twins who experienced false matches in both cases.
‘With both sets of twins, the other twin unlocked the iPhone X, even though neither one had registered his face with Face ID on the iPhone X,’ it wrote.
‘With the Franklin twins, we had both brothers remove their glasses and had the other brother register. Again, Face ID failed to tell the difference.
The Wall Street Journal’s Joanna Stern put it to the test with masks, costumes and eight year old.
She found after Declan Lyons registered his face, both his brothers Kormac and Kevin were able to unlock the phone.
Business Insider also tested the phone with twins.
One of the twins tries on sunglasses, a hat, a scarf, and then all three, challenging Apple’s assertions that Face ID can ignore those changes. The phone passes all four tests.
When confronted with both twins sans any accessories, the phone unlocks for one of them but not the other, despite there being little difference between the two people.
‘I was pretty shocked that the iPhone X could really pick apart the details between me and my brother considering some of our own family members can’t tell us apart,’ said Brian Fieber, one of the twins.
While other FaceID exploitations have involved more extensive efforts, such as the $150 ‘mask’ technique revealed by Vietnamese hackers this week, this particular issue required no work.
In a series of additional tests, at Wired’s suggestion, the couple toyed with re-programming Sherwani’s face under different lighting conditions.
Re-registering her face did block Ammar’s access – but, not when this was done in indoor, nighttime conditions like those when she first set the feature up.
In this case, Ammar was able to unlock the phone on his third try, sixth try, and all subsequent attempts from then on.
While other FaceID exploitations have involved more extensive efforts, such as the $150 ‘mask’ technique revealed by Vietnamese hackers this week, this particular issue required no work
Apple says the probability of another person unlocking your phone just by looking at it is slim: just 1 in 1,000,000.
But, this doesn’t necessarily apply across the board.
‘The statistical probability is different for twins and siblings that look like you and among children under the age of 13, because their distinct facial features may not have fully developed,’ Apple says on its support page.
‘If you’re concerned about this, we recommend using a passcode to authenticate.’