Galaxy Nexus Android 4.0 Face Unlock broken by picture

When Samsung and Google introduced the upcoming Galaxy Nexus smartphone with Android 4.0 (Ice Cream Sandwich) installed, they showed off a feature called Face Unlock which allows people to program their face into the smartphone and then use the phone's camera function to unlock it instead of a password. At the time of the phone's announcement it was suggested that the Face Unlock feature could be fooled just by putting a photo of the person in front of the phone.

One of Google's Android programmers, Tim Bray, tried to calm those fears in a Twitter message, adding, "Give us some credit." But now it seems that a web site has indeed discovered that the Face Unlock can indeed be beaten by a simple picture of the owner of the phone. SoyaCincau recorded their efforts and posted the result on YouTube in the above video.

In a later post on the same web site, the writer states that the video is not a hoax or trick. It also shows a picture of the Galaxy Nexus with information displayed about Face Unlock, saying flat out that someone that looks like the owner of the phone could in fact unlock the phone using this feature.

The bottom line is while Face Unlock may be a nice bullet point for the Galaxy Nexus and for Google's Android 4.0, people who really want to make sure the smartphone is as secure as it can be should rely more on a simple password than your own image.

Report a problem with article
Previous Story

Gaming news round-up: November 10-11

Next Story

Apple admits: yes, first-gen iPod nano might be dangerous

60 Comments

Commenting is disabled on this article.

Imagine if you will, face unlock on your phone, and you've just been in an accident and horribly disfigured... This might be the only way you can get that important info off your phone again. Think of this as a failsafe.

Why is anyone surprised? Seriously? How is the camera supposed to know if that's a real face or a picture? Unless phones come with stereoscopic front cameras (think Kinect), this trick will always work, regardless the operating system.

I'm sure if you have something top secret in your phone, you are using a customized security anyway. But for us regular people, it's no big deal.

Anyway I want to test it out using my funny gesture face I use to annoy my girl friend. I have never been photographed with that gesture.

If I use that as my screen unlock and use my normal face, I wonder if it will pick it up? It will be the first thing I try when I get this phone.

this feature alone is a TOY. Nothing new under the sun. I would feel as a dumbass showing this feature to my friends
Lol

Same story with pattern unlock really... You can tell what the pattern is by looking at the smudges on the screen.

Yet another case where Google thought things through.

.Neo said,
Same story with pattern unlock really... You can tell what the pattern is by looking at the smudges on the screen.

Yet another case where Google thought things through.

It depends on the screen. I use a smudge proof screen protector, and no one can figure out my pattern unlock.

.Neo said,
Same story with pattern unlock really... You can tell what the pattern is by looking at the smudges on the screen.

Same with the PIN, so duh. Takes a maximum of 24 tries with four different digits. No issue as long you powercycle the phone every two tries.

This kind of thing - using a photo for unlocking - has been going on for YEARS. Hell, even the Mythbusters did an episode on it!

Yet it took 2 times to actually get the picture on the 3rd try.

It has been known that it can be cracked with a picture. Dont want it to be cracked? When setting up facial regonition, use a gesture that you never use. This was noone can take a picture of you.

If only there was a pin or some other more secure locking mechanism for those who dont want to use face recognition. Oh wait there is.

scorpio_on_blue_moon said,
So they did half-a**ed attempt to copy Windows 8's photo password feature, only to leave out essential parts...and he begs for some credit!!!
I thought Windows 8 photo password is like simply drawing like some gesture on the photo then it unlock but this is completely different? This uses face recognition......

Well you can always make your own unique facial expression as the lock photo. It is the same concept as weak password and strong password

digitheatre said,
Well you can always make your own unique facial expression as the lock photo. It is the same concept as weak password and strong password

Did realize you had the same idea. I just wrote the same thing a few comments below.

Makes me think of a crappy DOA Lenovo Laptop that would not work...the face recognition tech was awful...I'd never get this phone (before I get ruined by android lovers I did once own a Nexus One bought from Google and shipped to UK)

WP7 all the way for me now, though I don't think I'd employ this tech on any phone if it were available.

WP7 said,
Makes me think of a crappy DOA Lenovo Laptop that would not work...the face recognition tech was awful...I'd never get this phone (before I get ruined by android lovers I did once own a Nexus One bought from Google and shipped to UK)

WP7 all the way for me now, though I don't think I'd employ this tech on any phone if it were available.

WP7 allows numeric characters only as a PW; not really good either IMO.

Just did a test...

I loaded facial recognition on my laptop and went through the whole process where it took several pics to create my pic profile. Then I used the webcam to take two pics of myself. One pic was how I looked when my pic profile was taken, and the second pic I had a different facial expression. Copied pics to phone....1st pic worked everytime, 2nd pic never worked.

So cannot just be any random image of the person.

An individual doesn't need to have a picture of you already to unlock the phone, they simply take the SD card out and grab a photo from there and he comments on the video stating he set it up using his actual face...

Edited by thechronic, Nov 12 2011, 11:20am :

thechronic said,
An individual doesn't need to have a picture of you already to unlock the phone, they simply take the SD card out and grab a photo from there and he comments on the video stating he set it up using his actual face...

This phone doesn't have an SD card. So there goes that.

UndergroundWire said,

This phone doesn't have an SD card. So there goes that.

er...i'm sure that some ice cream devices will allow for expandable storage...therefore that idea is not 'gone' by any means.

thechronic said,

er...i'm sure that some ice cream devices will allow for expandable storage...therefore that idea is not 'gone' by any means.

Let's talk about what's here. Not what will be. It's pretty silly to talk about what isn't here yet because a) The manufactures don't have to implement it. b) The manufactures can build on it.

He setup the facial recognition using the picture of his face, and it unlocks with the picture of his face.
He didn't setup the facial unlocking using his face, and unlock it with a picture of his face.

Berserk87 said,
He setup the facial recognition using the picture of his face, and it unlocks with the picture of his face.
He didn't setup the facial unlocking using his face, and unlock it with a picture of his face.

Try reading the video description. He said he set up the recognition with his actual face and not a picture

Ok, it has to be one damn good photo, up close, and clear for this to work. Not any image of the person will work and I doubt the robber/thief will stop, ask for a pic, and then steal your phone. So random Facebook images will not work so no big whoop.

And why is there a big surprise that this would work? Anyone tried this with laptops with facial recognition? I wouldnt be surprised if it worked. How to you tell the difference between a good, high quality FRONT image of someone compared to the real thing? I bet Apple would of had the same problem.

Edited by techbeck, Nov 12 2011, 10:45am :

techbeck said,
Ok, it has to be one damn good photo, up close, and clear for this to work. Not any image of the person will work and I doubt the robber/thief will stop, ask for a pic, and then steal your phone. So random Facebook images will not work so no big whoop.

Have you got any proof of that? Even if that was true, there are plenty of good photos of almost everyone floating around the web these days as Palpatine suggested above.

techbeck said,

And I wouldnt be surprised if this same "trick" worked on laptops with facial recognition as well.

That's irrelevant. All that matters is that Google have gone to a whole lot of trouble to implement a security measure that just doesn't work.

jakem1 said,

Have you got any proof of that? Even if that was true, there are plenty of good photos of almost everyone floating around the web these days as Palpatine suggested above.

You would have to go out of your way to target specific people...or remember to ask the person you stole the phone from what their full name is so you can look up their image. And if you are scared of your wife/GF messing with your phone, thats an issue this wouldnt solve anyway.


That's irrelevant. All that matters is that Google have gone to a whole lot of trouble to implement a security measure that just doesn't work.

No, its not irrelevant. Something else that makes Android bad when laptops probably have the same problem and you hear nothing. Just something else to fuel the Apple/Android debate.

jakem1 said,

Have you got any proof of that? Even if that was true, there are plenty of good photos of almost everyone floating around the web these days as Palpatine suggested above.

That's irrelevant. All that matters is that Google have gone to a whole lot of trouble to implement a security measure that just doesn't work.

Companies always try to satisfy lazy users; do you think that the W8 swiping on a picture is much harder to break? it is much easier to "spy" your swiping than try to grab and memorize a twenty characters alphanumeric PW.

simrat said,

and fandroids complain that Metro is ugly.

Well, beauty is in the eye of the beholder, so for some people metro may be ugly - i personally like it but cant blame anyone who doesnt.
But metro is a design LANGUAGE, a well-planned and built concept while android is just a bunch of stolen design elements sawed together with absolutely no style or cohesion.

Morden said,

Well, beauty is in the eye of the beholder, so for some people metro may be ugly - i personally like it but cant blame anyone who doesnt.
But metro is a design LANGUAGE, a well-planned and built concept while android is just a bunch of stolen design elements sawed together with absolutely no style or cohesion.

I don't hate any OS myself, im just using some trolls language, you know who, they like to post similar things in every microsoft article ( yea even the article is not related to UI ). I like openness of android, apps variety of iOS, and fluid and lag free UI of WP7.

AnthoWin said,
why are the icons from ICS so ugly looking?

To you. Windows Phone is ugly. It has boxes of color. But again, pretty and ugly are subjective.

UndergroundWire said,

To you. Windows Phone is ugly. It has boxes of color. But again, pretty and ugly are subjective.

thats if you dont pin anything to the homescreen.. I dont have boxes, I have stocks, pictures, social updates, movie pictures..

UndergroundWire said,

To you. Windows Phone is ugly. It has boxes of color. But again, pretty and ugly are subjective.

Windows Phone may be ugly - to you - but at least it has style; something Google could not design, copy or stole since 2008. Im talking about the base UI of course.

Morden said,

Windows Phone may be ugly - to you - but at least it has style; something Google could not design, copy or stole since 2008. Im talking about the base UI of course.

Tell me how really hurt you are by that comment. I know when people always attack something else, they were hurt. It's pretty silly. It's not like you were the product manager of that ugly design. Don't let it get to you.

Morden said,
android security broken... wow, theres a surprise

I do not have an Android device therefore I do not have to defend the brand but stating that this is related to Android is silly, to say the least.
I would not use facial recognition, fingerprint etc. etc.; the only really good way to secure a device is a long alphanumeric + special characters PW....... and change it quite often too.

Morden said,
android security broken... wow, theres a surprise

I have news for you, Windows Desktop security has been broken for a very long time. People still buy it.

rippleman said,
husband/wife could check messages quite easily with this discovery!! watch out adulterers!

Actually the best way to cheat is download an alternate text messaging program that has security. Root your phone and uninstall your default text message program and nobody will ever see those messages.

Alternatively you can also use your Google Voice number to give out. And put a Do not disturb on the Google Voice number when you are with your significant other. No phone calls or Google Voice Texts will come through. Your significant other is free to look at your default messaging program and will not see anything incriminating.

It works, so I've been told.

Why is everyone so negative about this?

If someone steals your phone its very unlikely that they are going to take a picture of you beforehand just in case its a face recognition locked phone. Or if you lose your phone the phone is locked so someone who finds it wont know whos phone it is so they cant just go get a picture from facebook or something.

People are blowing this way out of proportion.

TheLegendOfMart said,
Why is everyone so negative about this?

If someone steals your phone its very unlikely that they are going to take a picture of you beforehand just in case its a face recognition locked phone. Or if you lose your phone the phone is locked so someone who finds it wont know whos phone it is so they cant just go get a picture from facebook or something.

People are blowing this way out of proportion.

I dont need to take a picture of you. If I know you by name I can use your Facebook profile pic. Try to image some jealous girlfriend...

Palpatine said,
I dont need to take a picture of you. If I know you by name I can use your Facebook profile pic. Try to image some jealous girlfriend...

Yeah but honestly how likely is it that one of your friends or loved ones is going to steal your phone, in those cases you are going to know who it may possibly be.

TheLegendOfMart said,

Yeah but honestly how likely is it that one of your friends or loved ones is going to steal your phone, in those cases you are going to know who it may possibly be.

i think the point is that this security has a pretty big loophole, regardless of the particulars of who stole it.

even if you knew the person who stole it, you still might not want them getting into your phone and going through the messages / pictures etc...

TheLegendOfMart said,
Or if you lose your phone the phone is locked so someone who finds it wont know whos phone it is so they cant just go get a picture from facebook or something.

Even if they did no my name (let's say I have my name on the lock screen), I never use my real picture on my Facebook profile. Don't get me wrong, I have pictures on Facebook of me, but the profile pic has never been one of me. Why should I have my pic for strangers to see?

TheLegendOfMart said,
Why is everyone so negative about this?

If someone steals your phone its very unlikely that they are going to take a picture of you beforehand just in case its a face recognition locked phone. Or if you lose your phone the phone is locked so someone who finds it wont know whos phone it is so they cant just go get a picture from facebook or something.

People are blowing this way out of proportion.

Think about it this way.. its kind of like having your secret pin code as your profile picture on facebook.. if they steal your phone and any type of ID they can get into your phone.. they may even be able to use your drivers licence

King Mustard said,
Fail

It's not a fail. This is no flaw, it's a feature. If you lose your face, how else are you supposed to get into your phone??

Muhammad Farrukh said,
Isn't this an old news?

Old news/rumor - yes. But I think this video/article is meant to be a proof of concept .