Saturday, November 12, 2011

Android's Facial Unlock feature bypassed by a picture

If you remember the exchange between the lead developer of popular Android custom firmware CyanogenMod and Tim Bray, a Developer Advocate at Google, over the Android 4.0 (Ice Cream Sandwich) feature "facial unlock," you are probably thinking "WTF?" right about now. A video posted to purports to show an end user unlocking a Galaxy Nexus with a picture of himself.

The thing is, as quite a few people have pointed out, there's no way of knowing if the person involved trained the Galaxy Nexus and ICS to unlock using the photo, or his own face. It would be theoretically possible to train it using the photo, in which case unlocking it that way would make perfect sense.

In fact, an actual picture wasn't used.  As the "break-in" was attempted at a recent Samsung event, an image of his face on a different smartphone was used.  In the blurb at the YouTube video depicting the security flaw, he said:

"While some of you think that it is a trick and I had set the Galaxy Nexus up to recognise the picture, I assure you that the device was set up to recognise my face.... I would love to do this test again but I don't have a Galaxy Nexus, it is VERY hard to come by as it is not launched yet, but I urge anyone with a Galaxy Nexus to do the same test. Program the device to recognise YOUR FACE and then try to trick the same device with a similar looking picture, it will work."

A Google representative told CNET that the feature is still considered experimental, and provides a low level of security. In fact, the user interface itself warns end users that "Face Unlock is less secure than a pattern, PIN, or password." Much less than a picture, it even warns that "Someone who looks similar to you could unlock your phone."

This goes against Bray's reassurances. When, after the Ice Cream Sandwich and Galaxy Nexus launch in Hong Kong last month, Koushik Dutta (Koush), the lead developer of CyanogenMod, Tweeted that “The face recognition unlock thing is really easily hackable. Show it a photo."

To that, Tim Bray, a Developer Advocate at Google, focusing on Android, replied, "Nope. Give us some credit."

It's difficult to understand why Bray would be exhibit false bluster if it wasn't really the case that the facial unlock features were that secure. On the other hand, if someone can take a snapshot of your face (and a full-on, or at least mostly full-on one) to boot, and then manages to get you to leave your phone where he or she can get at it, perhaps they deserve the phone after all.

Watch the demo, below.

No comments: