Discover the smartphone face recognition vulnerability affecting popular brands like Honor, Motorola, Nokia, Oppo, Samsung, Vivo, and Xiaomi, with potential risks of unauthorized access and data theft.
According to research by Which?, a large percentage of smartphones include face recognition technology that can be tricked into opening the device using just a printed 2D snapshot. Numerous phone brands, including Honor, Motorola, Nokia, Oppo, Samsung, Vivo, and Xiaomi, may be affected by a bug that thieves might use to unlock mobile devices and steal personal information.
Concerns have been raised by the consumer champion that face recognition, which is frequently touted as one of the most secure ways to unlock a phone, may unintentionally make it possible for con artists to easily get past a screen lock on some Android phones with just one photo and access logged-in apps that contain a variety of sensitive data.
Which? submitted 48 smartphones to be examined, and discovered that 19 of them (40%) could be easily deceived by using a photo to bypass the lock screen and unlock the device. Uncomfortably, the images of the phone’s actual owner were produced on ordinary paper using a common office printer and were of a low resolution. This realization explains why it’s so simple for crooks to take advantage of photo “hacks” and face recognition systems.
Most of the phones that failed Which?’s biometric test failed it. Situated at the more affordable to mid-range end of the market, with costs starting at £89.99 for the Motorola Moto E13. costs did, however, reach some of the more expensive handsets, such as the Motorola Razr 2022, which debuted at £949.99.
There were seven different Xiaomi phone models that might be abused during the test. Motorola had four afflicted models, while Samsung, Nokia, Oppo, and Honor each had two, and Honor and Vivo each had one.
Allowing thieves to access banking data with face recognition?
Users in the UK can use Google Wallet to make contactless payments up to a maximum of £45 without having to unlock their phones. Google noted that customers must use a more secure Class 3 biometric unlock for higher-value transactions. This implies that if facial recognition is being used to unlock the phone, users of models that Which? was able to spoof are unable to perform transactions worth more than £45.
Even though it seems to offer some protection from these less reliable biometric capabilities, the Google Wallet app may still include private data that thieves can access if a photo has been used to unlock the phone. When credit or debit cards are registered, the last four digits of the cardholders’ numbers may be shown to the con artist. The app might also have information on recent transactions, such as where users went shopping and how much they spent, which might be used to assist users respond to security questions.
In response to Which?’s investigation, some banks provided details on how they address this kind of problem on their banking apps. For a customer’s higher-risk activity, banking apps typically use additional requirements or a variety of authentication mechanisms.
A warning to manufacturers
“It’s unacceptable that brands are selling phones that can be easily tricked using a 2D photo, particularly if they are not informing their customers of this vulnerability,” said Lisa Barber, tech editor at Which? The consequences of our findings for people’s security and susceptibility to fraud are extremely concerning.
Considering the face recognition vulnerability, it is strongly recommended that users of these affected smartphones disable facial recognition. Instead, use the fingerprint sensor, a strong password, or a lengthier PIN. Manufacturers should use this incident to strengthen biometric system security against spoofing.
The spoofing tests were passed by every tested Apple phone model. Many banking apps only allow face recognition as a security feature on Apple iPhones because Apple’s Face ID is more secure and uses sensors to produce a 3D depth map of your face.
