The face that unlocked a thousand Androids

In the previous post I blamed Android's security woes on the device vendors' lack of motivation to make their devices secure despite Google's efforts to maintain security. If the latest reports of a hole in Android's face recognition mechanism are correct this is a breach that falls squarely into Google's lap.

Android 4.0 (code named Ice Cream Sandwich) includes Face Unlock, a feature which, if activated, allows the owner to unlock a device just by presenting his or her face to the device's camera. Cool, right?

Malaysian cell phone blog SoyaCincau posted the following video on youtube which shows that it's possible to use a photograph of the owner's face to unlock the phone.

Assuming this video isn't doctored, Face Unlock is a security sham. This isn't an acceptable compromise between security and functionality like Apple's Siri working on a locked phone. If someone has access to your locked phone it's very likely that they also have or can obtain a picture of you, so this hole makes Face Unlock more or less useless against any real attacker.

What's really strange is that this isn't such a difficult problem to solve. There are several ways one can distinguish between a two dimensional inanimate object and a three dimensional living being. Something as trivial as taking several samples of the face over time would show some movement in real people (e.g. eyes blinking) something that photographs don't generally do. Three dimensionality can be discerned by playing with the focus on different areas of the face (most people don't have flat faces).

Now none of these solutions are perfect, but they would prevent the trivial usage of a static two dimensional photograph as shown in the video above. If this video accurately represents reality, Google really messed up here.