Android Jelly Bean Face Unlock ‘liveness’ check easily hacked with photo editing
Google improves Face Unlock on Jelly Bean by requiring users to blink, but even this can easily be spoofed through image editing.
With profile pictures easy to access through social networks, Face Unlock could easily be circumvented, which defeats the purpose of securing the lock screen in the first place.
Jelly Bean adds another layer of security, which supposedly ensures “liveness” by checking whether the person is actually moving. For this purpose, the software checks for a blink after the initial scan. After you blink, off goes your phone’s lock screen.
Again, though, this system has been easily circumvented. This time, it will require a bit of photo editing on the hacker’s part. Because the user is supposed to blink to prove he or she is the real deal, Jelly Bean will have to be fooled to think that a blink has been done with simple photo editing.
- First, find a fairly recent image of the smartphone or tablet owner. Facebook should be a great source.
- Using photo editing software, paint over the eyes with the same color as the surrounding skin tone.
- Flash the photos alternately to simulate a blink.
It seems Jelly Bean cannot differentiate between a real blink and one that involves some image editing. While we wait for Google to fix these issues, the Face Unlock feature is likely to remain just a novelty on Android, and we don’t recommend using it if you keep sensitive data on your mobile device. Use a PIN, password or pattern unlock instead. And if it interests you, other platforms also have innovative ways of securing lock screens, such as Windows 8’s picture password feature. It’s also rumored that Apple may include fingerprint scanning on iOS devices, after it acquired AuthenTec in July.
Check out the video below for a sample of how Jelly Bean’s face unlock feature can be tricked.