Product: Cell Phone: Camera
Method for bypassing Android's Face Unlock   (0)  [vote for, against]
for Android users.

Tested the security of Android's Face Unlock feature today on my Nexus 7 by holding up my phone with a photo of myself displayed on the screen. It unlocked immediately. I'm posting this as a warning to any Android users on the HB who might be using this feature to secure your device. Anyone who has a photo of you (or can snap one as you walk by) can access your device.
-- 21 Quest, Jun 07 2013

WKTE
-- pocmloc, Jun 07 2013


I'll delete shortly.
-- 21 Quest, Jun 07 2013


Wow, did they seriously not think that through at all?
-- DIYMatt, Jun 07 2013


That's what I was wondering.
-- 21 Quest, Jun 07 2013


What you obviously need is a photo of someone else at the beginning, say Buster Keaton.

You then use that as "your face", and no matter how hard thieves try when they show a photo of you, it'll never unlock.
-- not_morrison_rm, Jun 07 2013


That's brilliant... then even a clone couldn't get in.
-- 21 Quest, Jun 07 2013


Not that I'm suggesting trying it but <link>
-- FlyingToaster, Jun 07 2013


Thanks for the heads up, but nobody uses Android phones except for you.
-- ytk, Jun 08 2013


Ah, the perils of early adoption.

I think it'll be quite some time before face recognition software is able to tell the difference between a face and a picture of a face.
-- Wrongfellow, Jun 08 2013


this is clearly more for convenience than for security. Can you do a mustache test or sunglasses test, [21]?

Also -- this is clearly not sufficient for denying your kidnappers access -- but if you lose your phone, unless you left your wallet with your driver's license right next to it, how is someone getting that photo?
-- theircompetitor, Jun 08 2013


Or a second, infrared picture -- would be a cool feature on a phone, anyway.

I wonder if the cameras have enough zoom to look at your iris
-- theircompetitor, Jun 08 2013


// unless you left your wallet with your driver's license right next to it, how is someone getting that photo?//

They might just have to wait until you call the phone looking for it, but once they get your name all they have to do is find you on Facebook/MySpace/Twitter and hold it up to your profile pic. But you're overlooking the fact that pickpockets target smartphones a lot these days because of the huge resell value (I've seen a Samsung Galaxy S4 on Craigslist for over $300.00, $500.00 with accessories and rooting included). A pickpocket will have plenty of opportunity, as he stalks his mark, to snap a pic with his own phone's camera.
-- 21 Quest, Jun 08 2013


that picture would be hard to use, I would think, [21]
-- theircompetitor, Jun 08 2013


For you, maybe. A lot of folks have their own photo set as their profile pic. And if your Facebook profile isn't set to 'private', I'm sure they can find a photo of you in your albums, or in the albums of one of your friends.
-- 21 Quest, Jun 08 2013


ok, but the list of people who can make the connection between my face and my locked cell phone is pretty small, and frankly I think the chances are better than even that they also aren't going to steal it.
-- WcW, Jun 08 2013


yes, my point was that if it is locked, they don't know whose picture they would need.
-- theircompetitor, Jun 08 2013


Don't quote me on this, but I'm pretty sure that you can just do what they do with bricked phones at the store, force it to boot via the USB as a mass storage device and disable the boot lock. I imagine the dedicated thief, interested in the value of the content and not the hardware or potential exploitation of the phone itself would just do that. The ability to use the cellular network is tied to the SIM card which is not locked by any means, the overall phone can be wiped then cloned, so in the wrong hands this is virtually worthless. Frankly we are talking about preventing your acquaintances from becoming familiar with your private bizness and from the schlub who might instagram all your naughty photoz before smashing your phone on the railroad tracks. If it makes you feel good, do it, but don't put anything on your phone that you would really object to seeing made pubic because it is fundamentally insecure.
-- WcW, Jun 08 2013


// yes, my point was that if it is locked, they don't know whose picture they would need//

Again, all they have to do is wait for someone to call the phone looking for it and ask for your name on the pretense that they're going to call the carrier to verify that you're the legitimate owner. Once they have your name, they know within a pretty good statistical likelihood who's picture they will need.
-- 21 Quest, Jun 08 2013


This security flaw has been at least somewhat corrected on the Moto X. It has an option for a 'liveness' check which requires you to blink during the facial recognition process.
-- 21 Quest, Mar 08 2014


//It has an option for a 'liveness' check

Can't help feeling that's unfair on ventriloquists in some way..cuts to Chuck and Bob's mind reading act.

Well, one obvious one would be to have the user gurn, then use that as the face...of course I'm aware that gurn control can be a contentious issue in some countries on the other side of the Atlantic. Or, in fact, the Pacific, remembering where I am now.
-- not_morrison_rm, Mar 08 2014



random, halfbakery