Digital image can dupe Android face-based lock

[Malvado]

[video=youtube;BwfYSR7HttA]http://www.youtube.com/watch?v=BwfYSR7HttA&feature=player_embedded[/video]
​

A new feature in Android 4.0 will allow you to unlock the phone using facial recognition. But if you want high security, don't rely on it.

A video demonstration created by mobile blog SoyaCincau shows that the Face Unlock feature can be fooled by showing it a mere image of the face used to set up the locking mechanism. The video shows someone unlocking a Galaxy Nexus running Android 4.0, also known as Ice Cream Sandwich, by holding in front of the device a digital photo taken of him that is displayed on another phone.

Per the description of the YouTube video:

While some of you think that it is a trick and I had set the Galaxy Nexus up to recognise the picture, I assure you that the device was set up to recognise my face.... I would love to do this test again but I don't have a Galaxy Nexus, it is VERY hard to come by as it is not launched yet, but I urge anyone with a Galaxy Nexus to do the same test. Program the device to recognise YOUR FACE and then try to trick the same device with a similar looking picture, it will work.

The demo is done at an event where the Galaxy Nexus, which hasn't yet been publicly released, was on display. The information under the video says the test was conducted after someone sent the blogger a tweet asking if a printed photo could fool the Face Unlock feature. There was no printed picture handy, so the demo was done with a digital image of a face taken on a Galaxy Note phone.

A Google representative contacted by CNET said the feature is considered low security and experimental. Even the interface warns users that "Face Unlock is less secure than a pattern, PIN, or password" and that "Someone who looks similar to you could unlock your phone."

It's also true that someone would have to plan ahead to have a photo of a target and wait for that person to leave the phone unattended to get access to a device locked with the feature. There is no question that using this low-level security feature is better than not locking the phone at all, as long as you understand the limitations.

Given the video demo, it's unclear why a Googler would have suggested recently that using a photo would not open up a device protected with Face Unlock. Last month, Koushik Dutta, a developer of the Android after-market firmware replacement CyanogenMod, tweeted: "The face recognition unlock thing is really easily hackable. Show it a photo." In response, Tim Bray, who is on the Android team, tweeted: "Nope. Give us some credit."

"It was safe to assume that Google wouldn't let its face-recognition technology be bypassed using a photo but this confirms it," The Next Web wrote at the time. "Good news for those who were worried about their friends hacking their smartphone by using a Facebook profile photo or something similar."

SOURCE: Face Unlock Tricked: Man Unlocks Galaxy Nexus Using Picture, Exposes Android Flaw (VIDEO)

 

[marleyinoc]

There are levels of security on face unlock apps in market... on the lower levels a digital pic (assuming person who finds your phone knows what you look like) would work. On higher levels a digital pic will not work... but you may also increase chances of not have your face recognized. More setup pictures in varying levels of light can help reduce failures.

Sent from my phone.

 

[wicked]

Not so much worried of a stranger stealing my phone and happen to have a picture of me. :icon_ lala:

 

[JSM9872]

Not so much worried of a stranger stealing my phone and happen to have a picture of me. :icon_ lala:

I have a picture of you ready to go. Now to just get my hands on your phone :icon_ devil:

In all seriousness I never thought of that. I guess it would be less safe at home in that case.

 

[DamirD1984]

I have a picture of you ready to go. Now to just get my hands on your phone :icon_ devil:

In all seriousness I never thought of that. I guess it would be less safe at home in that case.

I've got nothing to hide ;-p


But I would let it capture a facial expression to make it a little more difficult

 

[Ohyea!]

Sounds like a nosy wife or girlfriends new best friend. Thanks a lot Google...

 

[dezymond]

Not much of a flaw, I knew it would work with a picture. Not a fingerprint or breath analyzer after all.

Recognizes and remembers the face, so of course it'll work with a picture.

 

[Sweettooth]

Somehow I don't think the face unlock was built as a security feature as much as a convenience feature.

 

[cush2push]

this isnt a big deal at least to me it isnt a dev phone with out a stupid UI over it is good enough for me
as wicked said it isnt the phone unlocking to a picture that would scare me its a stranger having my pic that would

 

[mikeinctown]

Somehow I don't think the face unlock was built as a security feature as much as a convenience feature.

+1, convenience for sure. Just look at the phone to unlock. And if you lose it, what are the chances the person who finds/steals it has a photo of you?

 

[kodiak799]

I don't know....a pattern is pretty quick and easy to do. But I bet patterns aren't all that secure or uncommon, not unlike people choosing 1234 as a pin. Facial recognition may actually be superior for most, depends on how accurate and quick it is.

 

[dezymond]

I don't know....a pattern is pretty quick and easy to do. But I bet patterns aren't all that secure or uncommon, not unlike people choosing 1234 as a pin. Facial recognition may actually be superior for most, depends on how accurate and quick it is.

The facial recognition feature works fairly quickly form what I've seen. I always thought, especially after the failed demo at the announcement, that one would have to hold the phone up to their face for a good 3-5 seconds, but it's much quicker than that from what I've seen on other demos.