Fooling the Ice Cream Sandwich face unlock

As many of you would know, a major feature introduced with Android 4.0 “Ice Cream Sandwich” is face unlock. Through a combination of a front-facing camera (on the Galaxy Nexus) and facial recognition software, you can unlock your phone in around a second using just your face.

There was a report early last month that the new face unlock feature could easily be broken using a photo of the person or a person that looks very similar. I thought it would be poor of Google to allow a new security feature that could so easily be broken, so I decided that I would test out these claims for myself.

You can check out the entire test I did below, simulating a real and possible situation for someone who might steal your phone.

While I did only attempt to use a photo in the above video, I can report that is very easy to unlock the phone using a vlog-style recording of the person. Very, very easy; so be careful.

Report a problem with article
Previous Story

TechSpot: Battle of the CPU Coolers - 4-Way Roundup

Next Story

Tom Warren of WinRumors moves to The Verge

51 Comments

Commenting is disabled on this article.

FuhrerDarqueSyde said,
Only solution (or way to bolster its security) would be dual front-facing cameras to detect facial-depth at key points.

and even then, is it worth it? In my opinion, no, however with EVO 3D having dual back cameras for 3D imaging, I'm sure its only a matter of time before we have dual front-facing ones too.

Everyone here seems to be missing the entire point of the face unlock, and even the whole phone lock to an extent. It's mostly designed to protect you from a stranger getting access to your phone, not a friend who took your phone and is bored. The odds of you randomly losing your phone and the thief knowing what you look like are slim to none, nonetheless how they would get a photo of you if they knew who you were.

Also, do you really think that the PIN and pattern unlock is really secure? There's nothing stopping them from plugging your phone into a computer and gaining access to all your data on the phone's memory. Oops.. there goes your security.

Horrible article.


simulating a real and possible situation for someone who might steal your phone.

Yes. Someone who steals your phone in a remote location has pictures of you......So real.

I can report that is very easy to unlock the phone using a vlog-style recording of the person

You used I believe it was 6 pictures and only one of them worked (I bet more than one worked too if you tried again). Not only that it worked 2 out of the 3 times you did it.

I too think that Face Unlock is a worthless and a gimmick but this article is worth even less....

So basically if i forget my phone on the bus i better hope the local deviant doesn't have a photo of me he can use to unlock my phone.
Think about it people for f's sake.

What's actually surprising is that it didn't work with most of the photographs. I was expecting any decent photo to be able to unlock the phone.

Anyway, facial recognition is not a security protection layer. It's about as secure as swipe to unlock only that it's aguably more cool.

Google includes new features like this because the way to develop and refine new tech is to get it out into the field.

I thought this was a great feature. Maybe it's just me, but using face recognition is largely to protect you from losing your phone vs having someone who knows what you look like trying to access it.

Unlock with Wifi serves my needs pretty well, this would be good enough for me in between. I mean how secure to you really think you're little PIN or pattern really is anyway?

Well its pretty poor if you ask me, you phone contains a lot of private data esp if you save passwords etc on it use dropbox and do not password protect that etc. If you can pull a photo of yourself from the phone and unlock it then that to me is laughable as it kinda means your giving people the key to get on your phone that you lost or had stolen etc. My advice would be DO NOT USE THE FACE RECOGNITION PERIOD till its fixed.

Pete G said,
Well its pretty poor if you ask me, you phone contains a lot of private data esp if you save passwords etc on it use dropbox and do not password protect that etc. If you can pull a photo of yourself from the phone and unlock it then that to me is laughable as it kinda means your giving people the key to get on your phone that you lost or had stolen etc. My advice would be DO NOT USE THE FACE RECOGNITION PERIOD till its fixed.

Facial unlock in no different than swipe to unlock. Lock does not mean secure, it means you can't push any buttons without intent.

OK bottom line is Face Recognition on the phone is a "cool" feature, it was NEVER intended to replace security and lock screen. It's demonstration of the types of things that are COMING, do you not understand that?

You pick up the phone, hold it to your face, it unlocks.. great for times when you don't want to swipe because you have pizza in your hand and you want to look at something.. THAT's ALL.

Why are you people bogged down with this feature.. it's supposed to be FUN not scrutinized.. DAMN!

I think they could provide a two-factor authentication to give users an even higher level of security rather than just pin or pattern. Such as Face + Pin in order to unlock the phone.
As long as you don't get in a car accedent, this would be just fine

Mobile phones are usually anonymous until they are unlocked (I don't think many people place their names on their phones). So if someone did find your phone, how would they know it was yours to begin with? In that sense, its fairly secure.

PotatoJ said,
Mobile phones are usually anonymous until they are unlocked (I don't think many people place their names on their phones). So if someone did find your phone, how would they know it was yours to begin with? In that sense, its fairly secure.

Well secure in the sense that it's a phone with no knowledge of who it belongs.. but they COULD steal your phone and take your apps or data.. or compromise your phone just to mess with you.

I agree security on a phone is the same as security of your TV, nobody personalizes it.. if someone DOES steal it all they want is what you have, the PHONE. First thing they will do is wipe it anyway. But this just gives SOME added measure of convenience.. it's FALSE security, since if you are in the habit if leaving your phone lying around for someone to take to begin with.. locking it at that point will not help you..

rijp said,

if someone DOES steal it all they want is what you have, the PHONE. First thing they will do is wipe it anyway. But this just gives SOME added measure of convenience.. it's FALSE security.
Well, yeah. The same could be said about locking with a PIN. If the person who stole the phone just wants the hardware, they can just wipe it.

I think all those photos would've unlocked it but you were holding them too close, I reckon face unlock would be better if the device had you say a phrase at the same time and used face tracking because, obviously, that can't be done with a photo.

of course it does, how would it be able to tell the difference between a photo/video or normal capture. Stupid to think it would be able to do so

Face unlock is a novelty more than a security feature. I mean, you have to hold the phone out in front of your face and stare at it like a dork to unlock it.

It's just not worth the hassle.

This would work much better with two front cameras, then it would be "easy" to notice whether the face has volume or is just a 2D picture.

The security method is largely irrelevant, as access to the device is the biggest problem. With a pin number / pattern even someone that doesn't know you can keep guessing, waiting for the lockout period to elapse. Whereas this is most vulnerable to people you already know, who are therefore less likely to steal your phone.

The biggest problem will be friends playing pranks, as there are few things more amusing than grabbing a friend's phone, fraping them and then changing the language to Japanese... not that I'd ever do such a thing.

theyarecomingforyou said,
The security method is largely irrelevant, as access to the device is the biggest problem. With a pin number / pattern even someone that doesn't know you can keep guessing, waiting for the lockout period to elapse.

Never used a pin, but pattern unlock after a certain amount of tries, it requires your GMAIL username/password or else the phone will not unlock.

From the video it seems like when the picture shakes less has a better probability of unlocking the phone.

I think it's because the depth as KooKiz said, since it cant distinguish depth with the front face camera, it might as well be programed to distinguish movement and because the farther away you are the more motionless you seem, maybe it is programed to be read a steady object half an arm arm away from the phone and that may as well be the key for fooling the face unlock feature.

So I suggest someone tries it with a bigger photo and a steady arm

theokent said,
From the video it seems like when the picture shakes less has a better probability of unlocking the phone.

I think it's because the depth as KooKiz said, since it cant distinguish depth with the front face camera, it might as well be programed to distinguish movement and because the farther away you are the more motionless you seem, maybe it is programed to be read a steady object half an arm arm away from the phone and that may as well be the key for fooling the face unlock feature.

So I suggest someone tries it with a bigger photo and a steady arm

I tried your advice and it doesn't work most of the time. Holding it too far away gives a "I can't see your face" error, and holding it with a steady arm makes no difference at all. It also doesn't seem to like it when it can see the edge of the photo

Also, I can unlock it with my real face very close to the phone (~10cm) and with as much movement as I like

How many of these stupid stories are we going to get - I am no Android fan but duck me even I know this is not meant to be a security feature.

What next - "Holy s**t iPhones unlocked with someone else's finger......"

Depicus said,
How many of these stupid stories are we going to get - I am no Android fan but duck me even I know this is not meant to be a security feature.

What next - "Holy s**t iPhones unlocked with someone else's finger......"


HEHE just what I was thinking, how can people still be going on about this?

Before someone goes ahead and blames Google or ICS for this "security flaw", this also works on laptops with the facial unlock feature. I tested it a while ago. Took a pic of myself, showed it to my laptop camera, and the laptop unlocked.

techbeck said,
Before someone goes ahead and blames Google or ICS for this "security flaw", this also works on laptops with the facial unlock feature. I tested it a while ago. Took a pic of myself, showed it to my laptop camera, and the laptop unlocked.

Yes, but this is the problem with Android/ Google they put **** out there to put **** out. Why give customers a reason to have a feature that a non- tech person that uses these phones will think is secure, just because they don't know better?

Here is how this feature will be popular. There are people who unless they lock their phone, "butt dial" constantly. So they constently lock their phones against "butt dialing", however these same people cant remember a password to save their lives. Unless their code is 1234 (and even then I doubt it), they just cant handle passwords. They are the ones that use the finger swipe on laptops religiously because thats the only way they can get in.

For those people the Face software will be a savior.

I know a few of these already...without even trying

TechGuyPA said,
Here is how this feature will be popular. There are people who unless they lock their phone, "butt dial" constantly. So they constently lock their phones against "butt dialing", however these same people cant remember a password to save their lives.

Swipe unlock prevents "butt dialing" as well and has more features

Um... is it not obvious that you were holding the photo too close to the camera? Thats why when you 'accidentally' unlocked it near the end - it was because you didn't put the pic so close to the phone.

Maybe down to focusing?

zoonyx said,
Um... is it not obvious that you were holding the photo too close to the camera? Thats why when you 'accidentally' unlocked it near the end - it was because you didn't put the pic so close to the phone.

Maybe down to focusing?

Nope, trust me I tried it many times off camera with many more photos of varying sizes, and most of the time it didn't work

zoonyx said,
Um... is it not obvious that you were holding the photo too close to the camera? Thats why when you 'accidentally' unlocked it near the end - it was because you didn't put the pic so close to the phone.

Maybe down to focusing?

Of course there is always someone who 'knows' everything.

How is it surprising? The phone isn't Kinect, there's no depth sensor. How is the device supposed to distinguish a real face from a mere picture?

KooKiz said,
How is it surprising? The phone isn't Kinect, there's no depth sensor. How is the device supposed to distinguish a real face from a mere picture?

A human face is alive, you can blink and move your lips, a photo can't. Maybe it should only work if you blink.

wixostrix said,

A human face is alive, you can blink and move your lips, a photo can't. Maybe it should only work if you blink.


A video is also 'alive' by your definition.

Maybe in the next incarnation they can add a face "gesture"; where you have to make a certain face before it unlocks, ie. one eye closed, raised eyebrow, frowning. Then we can all look stupid while unlocking our phones.

giantpotato said,

A video is also 'alive' by your definition.

Maybe in the next incarnation they can add a face "gesture"; where you have to make a certain face before it unlocks, ie. one eye closed, raised eyebrow, frowning. Then we can all look stupid while unlocking our phones.

I know but I was figuring, a picture of someone would be a lot easier to capture, but with today's phones, I guess it's almost just as easy.

It could shine a light at your face. A flat photo would be illuminated evenly, while a face with depth would be illuminated in a pattern with shadows around the nose and eyes and such.

To make the light in the face not annoying, they could make it infrared, which would invisible to humans but visible to a camera.

The only way to trick that would be to make a manikin head that recreates someone's face realistically.

ok...I'm just going to point one thing out with this....it all hinges on the use of the word, "Major".

It's not a major feature at all...it's a gimmick. Similar to calling the fingerprint tech on laptops a Major hardware implementation.

I have the Galaxy Nexus...Face Recognition works relatively well, but frankly it's never going to be as strong as a strong passphrase as some people look alike and it can be broken.

I don';t think Google ever claimed that the feature was a) major or b) security gold!

Wiggz said,
ok...I'm just going to point one thing out with this....it all hinges on the use of the word, "Major".

It's not a major feature at all...it's a gimmick. Similar to calling the fingerprint tech on laptops a Major hardware implementation.

I have the Galaxy Nexus...Face Recognition works relatively well, but frankly it's never going to be as strong as a strong passphrase as some people look alike and it can be broken.

I don';t think Google ever claimed that the feature was a) major or b) security gold!

I don't think they claimed that.... But what a senior google person said a few months ago when ICS and the Nexus was shown for the first is that photos CANNOT be used to unlock a device; "give us some credit" is what he said.

Wiggz said,
ok...I'm just going to point one thing out with this....it all hinges on the use of the word, "Major".

It's not a major feature at all...it's a gimmick. Similar to calling the fingerprint tech on laptops a Major hardware implementation.

I have the Galaxy Nexus...Face Recognition works relatively well, but frankly it's never going to be as strong as a strong passphrase as some people look alike and it can be broken.

I don';t think Google ever claimed that the feature was a) major or b) security gold!

Maybe not facial recognition but what will work is fingerprinting (eventually) and maybe the retinal scanning like they have for some high security vaults

I turned it on to try it out, but found it too annoying to have to wait for the camera then align my face (added to that at night it does not work ... ) and so switched it off after saying "cool". But I don't really think this was ever portrayed as an "improved security feature" by Google, they just needed something to show off the power of the phones and ICS, just like Apple did with Siri, it sold lots of phones, but does anyone really use it?

Yeah. The veey first thing i did with the nexus was enable face unlock then take a pic of me with ny friends iphone n then hold the iphone in front of the nexus showing my pic. It unlocked my phone 100% of the time. I wont be trusting it.

I think many people have come to realise that for the moment the face unlock method is more a novelty than a security measure. Hopefully Google won't give up on trying to improve it though.

Intrinsica said,
I think many people have come to realise that for the moment the face unlock method is more a novelty than a security measure. Hopefully Google won't give up on trying to improve it though.

I agree with you. In fact, there's a prompt telling you when you setup Face Unlock that it is not a secure feature:

Keep these things in mind:

- Face Unlock is less secure than a pattern, PIN, or password.
- Someone who looks similar to you could unlock your phone.
- The data used to identify your face is kept private on the phone.

I wonder why the even wasted time implementing it...

For security it's inferior to pin or password, and if you're not in a well lit enough place you won't be able to unlock your phone

Leonick said,
I wonder why the even wasted time implementing it...

For security it's inferior to pin or password, and if you're not in a well lit enough place you won't be able to unlock your phone

Because it is Google and it is Android: **** gets thrown to the wall and whatever sticks they implement; regardless of if it makes sense or not.

Leonick said,
I wonder why the even wasted time implementing it...

For security it's inferior to pin or password, and if you're not in a well lit enough place you won't be able to unlock your phone


Yeah, and I don't know how they would ever be able to secure this so that you wouldn't be able to use a picture...

Leonick said,
I wonder why the even wasted time implementing it...

For security it's inferior to pin or password, and if you're not in a well lit enough place you won't be able to unlock your phone

if it fails in an dark room it will always give you the pin prompt