Hacking Face ID, the facial recognition system built into Apple’s iPhone X, isn’t easy. Unless, it turns out, you’re a very specific hacker—say, a rare 10-year-old kid, trying to break into the phone of whichever of your parents looks the most like you.
Attaullah Malik and Sana Sherwani made that discovery earlier this month, when their fifth-grade son, Ammar Malik, walked into the bedroom of their Staten Island home to admire their new pair of iPhone Xs just after they’d set up Face ID. “There’s no way you’re getting access to this phone,” the older Malik remembers his wife telling her son, in a half-joking show of strictness
The parents were shocked. Ten-year-old Ammar thought it was hilarious. “It was funny at first,” Malik told WIRED in a phone call a few days later. “But it wasn’t really funny afterward. My wife and I text all the time and there might be something we don’t want him to see. Now my wife has to delete her texts when there’s something she doesn’t want Ammar to look at.”
With Face ID, Apple has launched a grand experiment in a form of biometric security previously untested at this scale. For the most part, that gamble has paid off; WIRED’s failed attempts to fool the system hint at how it defeats the most straightforward attempts at spoofing, and even the Vietnamese hackers who recently claimed to have defeated Face ID used a largely impractical technique. Their method required obtaining a detailed digital scan of their victim’s face, and building a mask out of 3-D-printed plastic, silicone, makeup, and paper.
But aside from hackers actively trying to spoof Apple’s biometrics, facial recognition presents other, more accidental privacy issues. For one, family members with similar faces can unlock each other’s devices. Apple has, in fact, conceded that twins and even non-identical family members may sometimes be able to fool Face ID. But the case of spitting-image children unlocking their parents‘ phones presents what might be Face ID’s most practical concern yet.
“We don’t want to disable Face ID. It’s very convenient. But this is a lot of hassle in terms of privacy,” says Malik, who works as the director of technology operations at tech firm Taskstream. He points out that a parent‘s phone can offer access to apps that encompass everything from banking to food delivery.
“If my son had access to my wife’s phone and she had that app on it, he could order ice cream for himself whenever he wanted,” he says. (Malik was careful to note that Ammar is a “good kid” who isn’t likely to take advantage of his access to his mother‘s phone. Malik also added that Ammar gets the best grades in his class.)
As Malik tells it, after his wife first registered her face in the phone, his son was able to dependably unlock his wife’s iPhone X, as captured in the video above that he shared with WIRED, and wrote in a post on LinkedIn. When Ammar tried his father’s phone instead, it also unlocked, but only on one attempt, which he has since been unable to replicate. Malik found that especially puzzling, since he says his son’s face is clearly smaller than his wife’s, and the two have somewhat different features. “People generally say he looks more like me,” Malik says.
At WIRED’s suggestion, Malik asked his wife to re-register her face to see what would happen. After Sherwani freshly programmed her face into the phone, it no longer allowed Ammar access. To further test it, Sherwani tried registering her face again a few hours later, to replicate the indoor, nighttime lighting conditions in which she first set up her iPhone X. The problem returned; Ammar unlocked the phone on his third try this time. It worked again on his sixth try. At that point, Malik says, the phone’s AI seemed to learn Ammar’s features, and he could consistently unlock it again and again.
All of that suggests that in the right conditions—and if parents aren’t aware of the possibility—a lucky child might be able to unexpectedly access his or her parent‘s secrets. “Not everyone will have done this sort of testing, or they might not be aware that someone else in their family can log into the phone,” says Malik.
It’s not clear how widespread the Face ID’s family problem extends, or if other kids have been able to unlock their parents‘ iPhone Xs. Apple didn’t respond to WIRED’s request for comment, beyond pointing to its Face ID security white paper and support page, which states that “the statistical probability is different for twins and siblings that look like you and among children under the age of 13, because their distinct facial features may not have fully developed. If you’re concerned about this, we recommend using a passcode to authenticate.”
Malik and Sherwani’s son isn’t the only unexpected relative who’s been able to unlock an iPhone X. So have non-identical siblings, including this pair of brothers, and another pair of British half-brothers with a significant age gap between them, shown below.
In those cases, however, the siblings may have purposefully or inadvertently trained their iPhone X on a composite of the two faces. Every time a PIN is entered after a rejected face, Face ID is designed to treat that scan as a misfire, correcting itself so that it becomes more accurate over time. If those siblings entered a PIN after the wrong sibling’s face was rejected by Face ID, the system would have learned his features.
But Malik insists that’s not what happened in the case of his family. The phone unlocked the very first time Ammar looked at it, he says, and in later instances when his face didn’t unlock it, no one ever entered the PIN after any of the failed unlocking attempts.
The solution for anyone who doesn’t want to disable Face ID and rely on a PIN, Malik points out, is simply to try Face ID on your children after setting it up on yourself. “You should probably try it with every member of your family and see who can access it,” he says.
In the rare case it does unlock, try re-registering your face in different light and testing it again. And failing that, keep a close eye on your phone’s whereabouts whenever it’s within a child‘s reach—and another eye on your ice-cream delivery app’s transaction history.