A wide variety of contemporary Android smartphones is highly susceptible to being tricked by fake heads and unlocking themselves using one of the conceptually most banal attempts at spoofing conventional mobile facial recognition, Birmingham, United Kingdom-based tech company Backface reports. The firm's recent experiment saw numerous Android handsets confronted with 3D-printed heads resembling their owners and while everything from the Samsung Galaxy S9 and Galaxy Note 8 to the LG G7 ThinQ, and OnePlus 6 mistook the plastic module for an actual person and wrongly provided the attackers with full access to its contents, Apple's iPhone X resisted the scam.
Don't use facial recognition if you care about security
The study serves as yet another piece of evidence that mobile face unlock services are inherently insecure and should be circumvented by anyone truly interested in keeping the contents of their handsets away from prying eyes and fingers. The Apple iPhone X prevailed in the test primarily due to the hardware it employs for detecting and identifying faces; instead of using a traditional camera sensor (or two) primarily designed for photography, Apple's Face ID solution relies on an infrared camera and other specialized modules capable of scanning three-dimensional face models and matching them against owner biometric info, thus conducting facial recognition checks in am much more accurate (i.e. secure) manner than services relying on conventional phone cameras.
Backface is quick to point out that not all of the tested smartphones were equally easy to spoof with its fake human faces but all ended up being tricked at least once following some experimentation with angles and lighting. A scenario wherein an attacker has enough time to 3D-print a fake face would also likely allow them plenty of room for toying with different samples, so a slightly more consistent facial recognition solution presumably wouldn't actually make a device more secure in practice.
The authors of the research didn't test their methodology with the Xiaomi Mi 8, the first Android device utilizing a depth-sensing camera module akin to the one found on Apple's most recent iOS flagships. The tradeoff with such a system is a sizable display notch or a somewhat thick top bezel (for 2018 standards), though the end result of a consumer-grade 3D camera is the best combination of security and convenience the mobile industry can currently offer.
A new trend emerging on the horizon as Batman keeps knocking
While the study's findings offer little new insight in terms of how (in)secure typical Android face unlock services are, they do provide more context in regards to why the smartphone segment as a whole now appears to be inching closer toward the commercialization of 3D camera setups on a larger scale. How comprehensively will the industry embrace such technologies still remains to be seen given how those solutions are directly rivaled by in-display fingerprint readers, objectively more secure authentication solutions which are also easier to market, i.e. explain to the average consumer. Fingerprint scanning also allows for arguably more robust anti-spoofing techniques based on a broad range of quickly evolving technologies, whereas even some of today's most popular facial recognition solutions are prone to some absolutely tragicomic fails like thinking Batman is knocking.