Android Phone Security Duped by 3D Printed Head

A 3D printed model head fooled facial recognition security features on four Android phones. It's not exactly a practical blueprint for thieves, but does show the security of such features varies dramatically between handsets.

Thomas Brewster of Forbes commissioned a 3D model of his head that combined data from 50 cameras. It cost him a little over £300, equivalent to around $375 USD. (Source: forbes.com)

Angle & Lighting Important

He then took five smartphones and used the facial recognition feature to take an image of his head to use as a unlock tool before holding up the 3D model to see if it would work. All five phones were high-profile, high-end handsets released in the past year or so. The results were as follows.

• An LG G7 unlocked instantly for the fake face. However, a later attempt to recreate the event for a demonstration video failed, which Brewster believes may have been because a software update released in the meantime improved security.
   

• A Samsung S9 also unlocked, though it did require holding the model face at a particular angle and with the right lighting. Iris recognition, which Samsung recommends ahead of the facial recognition option, unsurprisingly wasn't fooled by the model.
   

• A Samsung Note 8 phone unlocked in both a "faster/less secure" mode and a "slower/more secure" mode. The latter required similar angle and lighting tweaking to the S9.
   

• A OnePlus 6 handset opened instantly, with Brewster describing it as the least secure of the handsets tested.
   

• An Apple iPhone X proved impossible to fool with the fake head.

Windows Not Fooled

Brewster also tested the fake head on a computer running Windows with the Windows Hello facial recognition tool. As with the iPhone, it was impossible to fool the system.

Clearly it's unlikely the average user is going to be the target of criminal behavior, especially with the resources and dedication to produce a fake head. This is especially true, given that the method mentioned in this post required a 50-camera facial scan.

What's more interesting is that the varying handsets performed so differently. It certainly creates the impression that Android manufacturers have tilted the balance more towards convenience, and less towards "impenetrable security" that Apple or Microsoft has achieved. It's also possible that the Android phones could be more vulnerable to other techniques such as a lookalike being able to unlock a phone.

It's also worth noting that several of the manufacturers warn users that their facial recognition isn't the most secure biometric lock method and that those who want maximum security should consider fingerprint sensors iris scans instead. (Source: techspot.com)

What's Your Opinion?

Do you use and trust facial recognition? Do manufacturers do enough to warn that it has limitations? Is this test a real security worry or too unrealistic to suggest a genuine threat?