Can Facial Recognition Software be Hacked?

Do you use facial recognition to unlock your phone? If so, you’re in good company. By next year, experts predict that more than one billion smartphones will feature facial recognition technology. The technology has become incredibly versatile, especially since it upgraded from 2D mapping: Apple’s Face ID now generates a 3D map of your face using multiple sensors in the iPhone X. This is a stunning leap forward in mobile authentication: you only have to look at your screen and it unlocks.

However, exciting as this technology may be, it is not without flaws. The Dutch organisation Consumentenbond found that 42 out of 110 devices tested could be unlocked using just a picture of the device’s owner. The brands that could be fooled included Motorola, LG, Nokia, Samsung, and Blackberry.

Even those phones whose software couldn’t be tricked by using a photo still may have vulnerabilities. A journalist for Forbes had a copy of his head 3D printed for £300. The fake head worked on all four Android phones he tested.

Another interesting story about fooling facial recognition software comes from researchers in Vietnam. In the first reported case of researchers being able to fool the Face ID software, a researcher there demonstrated how he tricked the software on the iPhone X simply using a mask. The mask was made with a 3D printer, silicone, and paper tape, all in all costing about $150.

This isn’t necessarily a serious concern, though. Ngo Tuan Anh, the vice president of the cybersecurity firm Bkav which built the mask, admitted that the project took about a week and included numerous failures. The phone and mask need to be held at precise angles and adjusted accordingly, a calibration process which he said could take up to nine hours. And, of course, the hacker would need access to your face.

So, in the end, would this be a problem if someone else managed to get a hold of your phone? Not so much. In the end, no cybersecurity measures are 100% foolproof if a person is dedicated enough. The question comes down to how much time, money, and energy a hacker would be willing to put in to access your phone. Still, it is likely more secure to use a simple pass-code, which can’t be fooled with pictures, and stick to the essential security measures: don’t fall for phishing scams; use a password manager; hide your IP address with a VPN.

But concerns about facial recognition hacks have wider implications than simply unlocking a phone.

Facial recognition technology relies on databases to store the associated information, and these have vulnerabilities that allow them to be breached. Last month, reports emerged that a “malicious cyber attack” had resulted in the theft of photos of airport passengers and other personal data. The database was maintained by U.S. Customs and Border Patrol as part of their facial recognition program.

Another concern is what big companies do with the information they glean from facial recognition software. Looked at from this angle, it seems that software doesn’t need to be hacked in order to invade your privacy: big companies and organisations may be using the software to do so already. For example, Amazon offers “Face Rekognition” to clients, which allows them to build their own facial recognition system. The Washington sheriff’s office has been using this software since 2016 to identify suspects.

Ultimately, the truth is that facial recognition software does have some degree of vulnerability. If a hacker really wants to, they may be able to get around it and access your phone. Database breaches are also a potential issue. But hackers aren’t necessarily the biggest concern: it’s the way these databases can be used to compromise democracy, the justice system, or be used for big data in ways that are perfectly legal but not necessarily ethical. Remember that this software is not perfect: according to a study by the ACLU, Amazon’s Face Rekognition software identified 28 members of congress as other people with arrest records. It’s also worth noting that 40% of those wrongly identified were people of colour, and numerous accusations of racial bias have been levelled against facial recognition technology.

Bottom line? Don’t worry so much about hackers – worry more about who you’re giving permission to in the first place.