Dec 5, 2011

Android Face Lock feature spoofed by photograph

When Google announced Ice Cream Sandwich last month, one of the features that had the most conversation swirling around it was Face Lock. It’s an application designed to make use of a front facing camera on an Android handset to unlock the device using facial recognition.

Setting it up involves taking a picture of your face, which the phone then uses for a security comparison. To gain accesss to the phone, you look into the front facing camera and a comparison is done with the previously captured image. If the faces match the device will unlock. Google had said that it wasn’t possible to spoof Face Unlock by just using a photograph of the owners face during the ICS launch event. Problem is, an enterprising writer has done just that, several times.

A writer from SoyaCincau was at the Samsung Galaxy Note regional launch in Jakarta when he spied a Galaxy Nexus on display. Upon receiving a question about tricking Face Lock from a reader on Twitter, he decided to give it a try. Capturing an image of his face with a Galaxy Note, the writer was able to unlock the Galaxy Nexus several times using just the picture he took. There was some confusion at first when the story broke, saying that he had setup the Nexus to recognize the picture from the Note. This was not the case as he provided proof to the contrary.

There has been no word from Google as to why this works when they said it didn’t. If it is something that can be repeated across ICS devices, Android has a serious security problem. Although, most developers do not consider Face Lock to be a secure way to authenticate anyhow.

There is certainly some cause for embarrassment for Mountain View regarding this issue. With the Ice Cream Sandwich source code dropping yesterday on AOSP, you can bet that many will be testing this to see if it can be recreated.

Check out the demo of the spoof in the video below.

No comments: