With Android Ice Cream Sandwich, Google launched a new feature called Face Unlock. Face Unlock is a great feature for those who don’t like to punch password every time. Using Face Unlock, a user can unlock the phone just by using device’s front facing camera. The feature does make the smartphone friendlier when it comes to overall user experience, unfortunately this feature was found to be highly insecure as Face Unlock will unlock the device even if owner’s static photo is pointed at its front facing camera, which is a major flaw.
Google has attempted to fix the flaw of Face Unlock in the next version of Android. In Android 4.1 Jelly Bean, users are actually required to blink, but hackers have found a flaw in the liveness detection system too.
In the latest version of Android, Google has added extra layer of security, which supposedly confirms “liveness” by inspecting if the person is actually moving or not and as a part of the process, the system will check for blinks after the initial scan and the screen unlocks after the first blink, but this system can be easily circumvented too, however, the hacker is required to have some photo editing skills in order to execute this.
A thing which a hacker would require is just a photo, and with the boom of social networking sites like Facebook, finding the person’s image shouldn’t be a big deal. Since the liveness detection on Jelly Bean checks for blinks in order to prove if the person is real or not, you can easily simulate a blink with simple photo editing software.
1. First, find a fairly recent image of the smartphone or tablet owner.
2. Using photo editing software, paint the area of eyes with same color as the surrounding skin.
3. Flash the photos alternately to simulate a blink.
The hack proves that the system incorporated in Jelly Bean isn’t able to identify the difference between a real blink and one that is simulated using an image editing software. While Google fixes this flaw, Face Unlock will just remain a novelty on Android as it can be easily circumvented, which kind of defeats the whole purpose of locking the screen from security point of view. Using a PIN, password or pattern unlock instead will ensure your data doesn’t reach the wrong hands, hence if you do have something important stored in your smartphone, refrain using Face Unlock. After Google adding Face Unlock feature, many other platforms are also devising innovative ways of securing lock screens, such as Windows 8′s picture password feature. Recently, Apple acquired a security company called AuthenTec for $356 million. AuthenTec focuses on fingerprint security and Apple may exploit the technology and patents to add fingerprint scanning as a security feature on future iOS devices
The above video demonstrates how easily Jelly Bean’s face unlock feature can be circumvented. If you are interested in unlocking your Android device using facial recognition technology, but don’t have a device which support Ice Cream Sandwich or Jelly Bean, you can still have this feature using an Android app called Visidon Applock. The app requires the device to have a front facing camera and will work on any version of Android. It even has the liveness detection. We had previously reviewed Visidon Applock and you can read it over here.
What are your thoughts on this security flaw? Will you stop using the Face Unlock feature from now on until Google releases a fix or continue to use it? Let us know your thoughts using the comment form below.