Samsung, the world’s largest cellphone manufacturer, has a problem with their flagship offerings, the new S8 and S8+ devices. Both were released with a new facial recognition software the company used as an advanced security measure.
The idea was a thing of beauty in its simplicity. Advanced machine learning coupled with advanced image recognition routines allowed the company to create software that would allow the phone to recognize your facial features, using your face as the means of locking and unlocking your phone.
A lot of time and money went into developing the new scheme, which was seen as being on the leading edge of a new era in biometric security. There was just one problem. It only took hackers a few days to find a way to break it, and their solution was almost shockingly simple. They used online photos of the phone’s owner to trick the “smart” software into thinking they were the actual owner.
Yes, you read that correctly. A photo pulled off the internet was all that was needed to trick the phone into unlocking for any hacker who got ahold of it. 9to5Google refers to the following IDeviceHelp video showing how it is done:
The software is, of course, smart enough to differentiate between a still photo and a living, moving, constantly shifting human face, but it turns out that the workaround for that was pretty simple too. You need but shake or jiggle the phone in front of the picture to give the image a sense of motion, and the phone dutifully gives up its secrets.
The company is reportedly working on tightening up their algorithm to help prevent this in the future, but at this time, there’s no ETA for when it might be forthcoming.
Fortunately, the company did not enable facial recognition for its Samsung Pay feature. So, although a hacker could gain near-total control of one of those Samsung devices in this manner, at least they would not be able to access the pay function and initiate rogue transactions. Still, this finding represents a black eye, and a significant step backwards.