Smartphones have face recognition that can be easily spoofed with 2D photo, Which? finds

A significant security vulnerability has been uncovered by consumer champion Which?, revealing that the face unlock systems of various smartphones can be easily deceived by a 2D photograph.

The research presents a stark warning about the potential exploitation of this security flaw by criminals, who could bypass phone locks and access sensitive personal information.

This revelation contradicts the perception of face recognition as a highly secure method to unlock phones, thereby raising questions about the overall safety of Android devices.

Since August 2022, Which? has lab-tested 48 new smartphones, including models from Honor, Motorola, Nokia, Oppo, Samsung, Vivo and Xiaomi.

Which? found that nearly 40% of these can be spoofed with a photograph, allowing unauthorized access.

Disturbingly, the photographs used for testing weren’t even high resolution, having been printed on standard office paper using a typical office printer.

Models at the cheaper to mid-range end of the market, such as the £89.99 Motorola Moto E13, were amongst those that failed the test, though the vulnerability was not confined to these, with even high-end models like the £949.99 Motorola Razr 2022 also affected.

The discovery raises grave concerns about the potential theft of sensitive information.

A key example cited by Which? is the Google Wallet app, available for download on all the affected phones, which allows users to make contactless payments and holds personal banking data.

Although Google assured Which? that higher value transactions require a more secure Class 3 biometric unlock, the research body argues that the compromised face recognition systems should be categorised as Class 1, the least secure category.

The report highlighted the fact that a range of sensitive information, such as card details and recent transactions, could be at risk if the screen is unlocked using a 2D photograph.

Most banks have responded to the findings, outlining their own security measures, but it appears that not all banking apps are equally secure.

Interestingly, Apple’s Face ID system, which uses 3D mapping, passed all spoofing tests, indicating a higher level of biometric security on iPhones. This could explain why many banking apps only permit face recognition security measures on Apple devices.

Which? is now urging manufacturers to bolster the security of their biometric systems against spoofing and to educate consumers about the potential vulnerabilities of certain types of facial recognition.

In light of these findings, Which? is advising consumers with the affected phone models to disable face recognition and instead use the fingerprint sensor, or a password or PIN that’s at least six digits long.

Which? Tech Editor, Lisa Barber, expressed strong concerns over the situation, stating, “Our findings have really worrying implications for people’s security and susceptibility to scams. ”

“This needs to be a wake-up call for manufacturers – they need to step up and improve the security of their biometric systems against spoofing.”