Large numbers of smartphones use face recognition systems that can be fooled into unlocking using only a printed 2D photograph, Which? research has found. A flaw criminals could exploit to unlock mobile phones and steal personal information could affect phones from the likes of Honor, Motorola, Nokia, Oppo, Samsung, Vivo and Xiaomi.
The consumer champion has revealed concerns that face recognition, which is often promoted as one of the most secure ways to unlock a phone, could inadvertently enable scammers to easily bypass a screen lock on certain Android phones, simply with one photo, and access logged-in apps which contain a range of sensitive information.
Which? sent 48 smartphones to be tested, finding 19 new phones (40 per cent) can be easily tricked using a photo to get through the phone’s lock screen and gain access to the phone. Worryingly, the photos of the phone’s real-life user were not particularly high resolution and were printed on a standard office printer on normal paper. This realisation explains that the photo ‘hack’ is accessible to many, making it very easy for criminals to exploit face recognition systems.
The majority of the phones that failed the biometric test by Which? sat at the cheaper to mid-range end of the market, with prices from £89.99 for the Motorola Moto E13, although prices reached some of the more expensive handsets too, such as the Motorola Razr 2022, which launched at £949.99.
Xiaomi had seven phone models that could be exploited during the test. Meanwhile, Motorola had four; Nokia, Oppo and Samsung each had two and Honor and Vivo had one affected model each.
Enabling criminals to access banking information?
Users in the UK can make contactless payments with Google Wallet up to the value of £45 without needing to unlock the phone. Google explained that for higher-value transactions, users must use a more secure Class 3 biometric unlock. This means that people use models that Which? was able to spoof, they are not able to complete transactions over £45 if face recognition is being used to unlock the phone.
While this appears to ensure some level of safety against these less secure biometric features, the Google Wallet app can still contain sensitive information useful to scammers – accessible if a photograph has been used to unlock the phone. Credit or debit cards registered tell the scammer who people bank with and may display the last 4 digits of their card numbers. The app may also contain information about recent transactions like where users shopped and how much they paid that might help them answer security questions.
Some banks responded to Which?’s research, explaining how they mitigate these types of issues on their banking apps. Banking apps usually employ additional requirements or a number of authentication measures for a customer’s higher-risk actions.
‘A wake-up call for manufacturers’
Lisa Barber, tech editor at Which?, said: “It’s unacceptable that brands are selling phones that can easily be duped using a 2D photo, particularly if they are not making their customers aware of this vulnerability. Our findings have really worrying implications for people’s security and susceptibility to scams.
“We would strongly advise anyone using these phones to turn off face recognition and use the fingerprint sensor, a strong password or a long PIN instead.
“This needs to be a wake-up call for manufacturers – they need to step up and improve the security of their biometric systems against spoofing.”
All Apple phone models tested passed the spoofing tests. Because Apple’s Face ID is more secure, using sensors to create a 3D depth map of your face, a wide range of banking apps only enable face recognition as a security measure on Apple iPhones.