X

Digital image can dupe Android face-based lock

Google says the "Face Unlock" feature in Ice Cream Sandwich can't be fooled by images. A viral video begs to differ.

Elinor Mills Former Staff Writer
Elinor Mills covers Internet security and privacy. She joined CNET News in 2005 after working as a foreign correspondent for Reuters in Portugal and writing for The Industry Standard, the IDG News Service and the Associated Press.
See full bio
Elinor Mills
3 min read
An image of a face displayed on a phone was enough to trick Android 4.0's new Face Unlock feature, a new video demo shows.
An image of a face displayed on a phone was enough to trick Android 4.0's new Face Unlock feature, a new video demo shows SoyaCincau

A new feature in Android 4.0 will allow you to unlock the phone using facial recognition. But if you want high security, don't rely on it.

A video demonstration created by mobile blog SoyaCincau shows that the Face Unlock feature can be fooled by showing it a mere image of the face used to set up the locking mechanism. The video shows someone unlocking a Galaxy Nexus running Android 4.0, also known as Ice Cream Sandwich, by holding in front of the device a digital photo taken of him that is displayed on another phone.

Per the description of the YouTube video:

While some of you think that it is a trick and I had set the Galaxy Nexus up to recognise the picture, I assure you that the device was set up to recognise my face.... I would love to do this test again but I don't have a Galaxy Nexus, it is VERY hard to come by as it is not launched yet, but I urge anyone with a Galaxy Nexus to do the same test. Program the device to recognise YOUR FACE and then try to trick the same device with a similar looking picture, it will work.

The demo is done at an event where the Galaxy Nexus, which hasn't yet been publicly released, was on display. The information under the video says the test was conducted after someone sent the blogger a tweet asking if a printed photo could fool the Face Unlock feature. There was no printed picture handy, so the demo was done with a digital image of a face taken on a Galaxy Note phone.

A Google representative contacted by CNET said the feature is considered low security and experimental. Even the interface warns users that "Face Unlock is less secure than a pattern, PIN, or password" and that "Someone who looks similar to you could unlock your phone."

It's also true that someone would have to plan ahead to have a photo of a target and wait for that person to leave the phone unattended to get access to a device locked with the feature. There is no question that using this low-level security feature is better than not locking the phone at all, as long as you understand the limitations.

Given the video demo, it's unclear why a Googler would have suggested recently that using a photo would not open up a device protected with Face Unlock. Last month, Koushik Dutta, a developer of the Android after-market firmware replacement CyanogenMod, tweeted: "The face recognition unlock thing is really easily hackable. Show it a photo." In response, Tim Bray, who is on the Android team, tweeted: "Nope. Give us some credit."

"It was safe to assume that Google wouldn't let its face-recognition technology be bypassed using a photo but this confirms it," The Next Web wrote at the time. "Good news for those who were worried about their friends hacking their smartphone by using a Facebook profile photo or something similar."

(via The Huffington Post)