Jump to content

Phones' facial recog tech 'fooled' by low-res 2D photo


David H. Lipman

Recommended Posts

Phones' facial recog tech 'fooled' by low-res 2D photo

Quote

Samsung, Oppo and Nokia are among a range of Android phone makers with facial recognition scanning tech that can be "easily duped" by a printed 2D photo, according to tests undertaken by campaign group Which?

Resident techies that put a range of phones and brands through their paces (see box below) said the findings were of concern as biometric tech is often billed as one of the most secure ways to unlock a handset.

Of the 48 phones Which? sent to labs for testing, 19 could be spoofed with photos and "worryingly" these were "not even particularly high resolution and were printed on a standard office printer on normal, rather than photo, paper."

The vast majority of the phones that failed the simple biometric test were, unsurprisingly, low to mid-range in price, though Which? claimed there were exceptions, including the Xiaomi 13 and the Motorola Razr.

Of the phones that Which? reckons could be fooled, seven were made by Xiaomi, four came from Motorola, while two came from each of Nokia, Oppo and Samsung. One model made by Honor and another by Vivo was also found to be exploitable.

Under Android's requirements, phone makers must ensure devices and software are "Android compatible," which includes how often device security can be spoofed. Class 3 systems must not be duped more than 7 percent of the time, and Class 1 system are least secure, with a spot rate of 20 percent of the time to more.

Which? voiced worries that scammers could exploit the weakness to – for example – access Google Wallet to make payments to a limited value (£45 in the UK, about $56) without needing to unlock their phone. For larger transactions, Google asks users to use a Class 3 biometric lock, Which? said.

Phones Which? claimed were vulnerable to 2D photograph scams:

  1. Honor 70,
  2. Motorola Razr 2022,
  3. Motorola Moto E13,
  4. Motorola Moto G13,
  5. Motorola Moto G23
  6. Nokia G60 5G,
  7. Nokia X30 5G
  8. Oppo A57,
  9. Oppo A57s
  10. Samsung Galaxy A23 5G,
  11. Samsung Galaxy M53 5G
  12. Vivo Y76 5G
  13. Xiaomi POCO M5,
  14. Xiaomi POCO M5s,
  15. Xiaomi POCO X5 Pro,
  16. Xiaomi 12T,
  17. Xiaomi 12T Pro,
  18. Xiaomi 12 Lite, and
  19. Xiaomi 13

Google Wallets, as Reg readers know, contain credit or debt cards and may display the last four digits of a card number, and potentially information about recent transactions. This and other apps could be vulnerable to the 2D photo lock vulnerability.

The vulnerable phones it tested should be classified as Class 1 biometric, the campaign group added. "Android does not permit phones in this category being used by third party apps to sign in or to confirm important actions."

Banking apps can require other additional requirements or authentication methods for higher amount transactions. Though if you're an Apple user, none of this matters as all the iPhones tested passed due to a "more robust system" that includes a "3D depth map of your face" and explains why numerous banking apps allow just facial recognition measures on Apple's devices.

There are no laws in place that hold phone manufacturers' feet to the phone with regards to biometric security. There are voluntary standards, such as the European Telecommunications Standards Institute, which says "2D Facial recognition must not exceed being duped 1 in 50,000 times." The phones tested failed this metric, the campaign group reckons.

Which? said Google is working with others across industry on a certification program based on this standard. The consumer champion called on vendors to up their biometric game against spoofing and inform users of the limitations of some types of facial scanning tech.

Lisa Barber, tech editor at Which?, said in a statement: "It's unacceptable that brands are selling phones that can be easily duped using a 2D photo, particularly if they are not making their customers aware of this vulnerability. Our findings have really worrying implications for people's security and susceptibility to scams.

"We would strongly advise anyone using these phones to turn off face recognition and use the fingerprint sensor, a strong password or long PIN instead."

Google told Which? that hardware OEMs select the tier of biometric security and it is their responsibility to ensure their products can meet the Android Compatibility Definition Document requirements. Google said it is "constantly working to raise the bar for user security."

Nokia phones tested by Which? have facial recognition software that do not have privileges in third party apps, the vendor told the campaign group. Nokia said it warns customers the phones can be unlocked by someone that looks "a lot" like them. It said it found no issues when testing the phones.

Samsung told the campaign group that its fingerprint reader was the "highest level of authentication," and Vivo agreed that at an industry level, 2D facial recognition is an "elementary security measure," telling users during the phone's set-up process that the affected phones can be unlocked by another individual that looks similar to them.

Honor, Motorola, Oppo and Xiaomi didn't respond to the campaign group to give their side of things. We asked those businesses to comment but at the time of publication, only one had replied.

A spokesperson at Oppo told The Register:

"OPPO adopts security features based on industry standards, providing various security options for users to unlock their phone. The 2D face recognition matches the owner with the phone through AI algorithms and is designed for quick unlocking. For the highest level of biometric security, we would advise using fingerprint method."

Motorola parent Lenovo, said: "Security has always been at the core of what we do, and the security of our consumers remains a top priority for Motorola. The highest level of security includes using fingerprint and complex passwords. The Face Unlock technology is intended to support convenient unlocking of the phone, although Motorola reminds and recommends during the setup process that consumers use a PIN, password, or pattern for enhanced security.

"Also, if a consumer chooses to use Face Unlock for convenience after consenting to use this feature, they will also need to choose a pattern, PIN, or password to secure their device." ®

 

  • Like 1
  • Sad 1
Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.