face unlock

If you're serious about security on your Android phone or tablet, you probably know that the Face Unlock feature introduced in Ice Cream Sandwich is a long way from secure. While Google didn't make any claims to the contrary, it looks like the extra "Liveness check" (which requires the user to blink after the initial scan) is almost as susceptible. A group of YouTube users demonstrated how to get past the check with a photo taken off of Facebook and just a few minutes of Photoshopping.

The technique is ridiculously easy: find a relatively clear photo of your mark, use a photo editor (Paint.NET in this case) to cover his or her eyes with their corresponding skin tone, and flash the original and modified images on a monitor. Point the Jelly Bean device towards the monitor, flip the images when directed, and bang - unrestricted access. Again, it's not as if anyone was seriously relying on the Face Unlock for security anyway, but this demonstration reinforces the fact that you should have a PIN or pattern unlock on your Android device if you keep any sensitive data handy.

Thanks, David!

Jeremiah Rice
Jeremiah is a US-based blogger who bought a Nexus One the day it came out and never looked back. In his spare time he watches Star Trek, cooks eggs, and completely fails to write novels.
  • RedPandaAlex

    Not surprised at all. Though it probably makes it hard enough to crack that if you lost your phone you'd have enough time to change your Google password or remote wipe it or something.

  • http://twitter.com/turbosix turbosix

    this is retarded. unless the person that's stealing your phone knows you personally how the hell are they going to have a picture of you, much less know your name?

    • http://twitter.com/apa1102 Apa Chen

      If your phone has SD card, maybe it's easy to find your pictures in SD card.

      • Bon K

        You could find pictures from SD card, but how do you determine which one is the owner of the phone?

        • BlaineMagee

          The person that is probably in most of the pictures...

          • TwilitSky

            Actually, when I look through my photos on my phone, I lament that I'm rarely in my own photos... because I'm usually the one taking them.

          • Bon K

            I doubt that it will be the case unless the person likes to take a picture of himself/herself.

          • tookieboy

            Not everyone self-camwhore. #justsaying

          • Ejronin

            Only if they're a narciccistic d-bag.

            I'm in the fewest pics on my phone because I'm the one taking them

    • http://codytoombs.wordpress.com/ Cody Toombs

      Not that this is worth discussing for the 43,298,774,509th time, but sometimes the person who is trying to get passed your lock screen does know you. Nobody said that this "security measure" had anything to do with anti-theft. It's typically about keeping friends from playing pranks with your social network apps, stopping people from picking up your phone to make calls, or to keep snooping girlfriends out of your call history and text messages (come on, I know a few people must understand this one).

      Everybody knows face unlock is a novelty feature for ICS, the same way that Facetime was a novelty for iOS 4. It's unreliable, it's slower than most methods of unlocking (except for a full text password), it relies on moderately good lighting. Since before anybody got their hands on Face Unlock, there were tons of people talking about using a Facebook picture to defeat it. When the Liveness Check was announced, tons of people (myself included) suggested that a simple app that fakes eyelids would be enough to break it.

      I'm honestly surprised that it took this long before somebody bothered to demo the weakness. I'm possibly more surprised that it seemed to require 3 people, or that they seemed oddly proud of it.

  • http://www.facebook.com/profile.php?id=898440028 Michael Ruocco

    This is the dumbest thing I've ever seen. These guys need to get out more

    • http://www.androidpolice.com/ Artem Russakovskii

      I always admire people who are trying to think outside the box and break existing security, no matter how silly the methods end up being.

  • http://twitter.com/magiman7 magiman7

    Maybe it is a lesson to not make pictures of you public on facebook?

  • http://www.facebook.com/tcostasouza Thiago Souza

    Every security mechanism is breakable... what matters is how difficult it is to break. In this case the liveness check imposes that someone needs an extra edited photo to break it...

  • CeluGeek

    I always assumed that if there are videos of you posted on the Internet, people could make an animated GIF of you blinking and use that to unlock your phone.

  • SenseOffender

    Foolishness really, unless it's your partner and they suspect you of cheating, who would do this? And if they got caught would they not expect an ass whooping for their troubles? I mean, theft is theft, right?

  • Phillip Hagger

    I don't understand why people keep calling this a security mechanism. Its just an unlock like the sliding unlock to keep you from accidentally opening your phone and doing things. This gives you a way of unlocking without having to even touch the screen. Just push the button with the phone in front of your face and its ready to use. If your face isn't there from you accidentally hitting the power button then it doesn't unlock. I know Google added the pattern back up but really why even promote it like that. Its just convenience feature.

    • http://www.androidpolice.com/ Artem Russakovskii

      It's not just a convenience feature. I think the fact that it's listed under Settings -> Security should be sufficient enough to answer your question.

  • Kirby Honeycutt

    If people are willing to go to this much trouble to fake a facial scan, who's to say they wouldn't be as diligent trying to find your pin? If they want to get in, they'll get in regardless. The facial will still keep the majority of "casual theifs" and nosy passer-bys locked out, which is who most would encounter daily anyway.

  • Simon Belmont

    Wow. This seems like a lot of work just to get to play Angry Birds on a phone that isn't yours.

    They would have to know what the owner of the phone looks like anyway. That might be on the SD card, but most people take pictures of OTHER people or objects. A lot of factors need to come together to bypass this. Seems pointless.

    • http://www.androidpolice.com/ Artem Russakovskii

      If you only have Angry Birds on your phone, you probably won't care, but some people have sensitive information, in fact more of it on their phones than on their laptops. I am always surprised at why smartphones are thought of differently compared to other devices in this sense. I sure as hell would be terrified if someone has gotten a hold of my phone.

  • Andy Clark

    To be fair though,Google have never said it was secure. Its listed as insecure in the menus.

  • faceless128

    so basically, it's secure against strangers, but not very secure against people that know it's your phone... good enough for most people i'd guess...

  • Gerry Juans

    How difficult would it be to implement a display-detection algorithm?

    • http://codytoombs.wordpress.com/ Cody Toombs

      Depends entirely on the quality of the screen you're pointing at and the quality of the camera on the phone. The better the pixel density, the harder it'll be to see pixels. If the display is LED or LCD as opposed to CRT, you aren't going to get moving scan lines either, which takes away the most reliable method. All of these things are made weaker if you have a low quality camera sensor, which is how I'd describe every front-facing camera on the market, so far.

      Really, the only way they can make Face Unlock a relatively secure method is to require the owner to move the camera from one angle on the face to another, thus proving that they are looking at a 3D face. A video could still defeat that, but it's a lot harder to get a video that would be good enough, timed well enough, and crosses the correct angle. It's still not impossible to break this method either, even with a single photo from Facebook; but it would require legitimately complicated software that performs a lot of guess-work to create simulated motion. At the very least, this would raise it to the standard that it is probably easier to break into the phone using other methods (or the fallback PIN number).

  • tanjiajun34

    A bunch of people trying hard to become hackers.... LOL

  • scudd

    That video was 4 minutes too long

  • toshistation

    Seems like an awful lot of work to change somebody's wallpaper to a picture of a penis. I sort of feel like people are reaching at this point.

  • http://them3blog.wordpress.com/ Abel

    they should have used a smile gesture to unlock... try and beat that!

    • http://codytoombs.wordpress.com/ Cody Toombs

      Not impossible, the photoshop smudge tool might even be enough to pull that off.

      How about making it user-customizable? Some people might blink both eyes, some will wink one eye, some can smile...it could even be a combination or done in a certain order. Of course, your face unlock combination will quickly become so complicated that it takes 30 seconds to unlock, but it would be hilarious to watch people making a combination of bizzarre faces at their phones. A small part of me wants to see Paris Hilton doing this.

      One potentially awesome flaw to this idea...Botox ;)

  • http://www.facebook.com/jasonconort Jason Conort

    This is one orchestrated theft of a phone! By the time a thief gets your photo and puts it in photo shop to edit it, it would have been easy just to look over your shoulder as you put your pin in the phone. Just saying :-)

  • jusatin

    It's not like you can't just "hack" the pin/pattern from the fingerprints /-trails one leaves behind when unlocking the phone

  • http://www.facebook.com/dan.barkley.963 Dan Barkley

    Why not have silly face unlock instead of liveness check. My face is so silly, no one could replicate it. (but maybe the phone ain't that smart yet).