Google’s upcoming Pixel 4 handset will ship with a glaring security hole in its brand new Face Unlock feature.
According to BBC reporter Chris Fox, the Face Unlock mechanism works even when the device owner has their eyes shut, something that facial recognition systems are usually configured to prevent.
This lack of protection in the Face Unlock feature opens the door for some potential abuses — such as a child, partner, or kidnapper unlocking a Pixel 4 device while the owner is sleeping or unconscious.
Pixel 4 is the first handset where Face Unlock will be available. The phone is scheduled to go on sale on October 24.
Google was so sure of Face Unlock’s strength that it removed all fingerprint sensors from Pixel 4 handsets, leaving its brand new facial recognition system as the only biometrics authentication system available on the device.
In leaked images obtained by The Verge this month, the Face Unlock settings page included an option named “Require eyes to be open,” which would have prevented a third-party from unlocking a device while the owner was asleep or out cold.
However, it appears that Google changed its mind about including this safety mechanism. The company told Fox that this option would not be available in Pixel 4 devices going on sale next week.
Google has also removed any mention of the option from the Face Unlock feature’s support page, instead recommending that users keep their Pixel 4 phones “in a safe place, like your front pocket or handbag.”
The reasons why Google removed the feature are unknown, but it could be that the option either didn’t work (didn’t recognize when eyes were closed or open) or it had a high rate of false positives (it worked, but with errors).
The bug is not likely to tarnish the Pixel 4’s launch, a high-end device coming loaded with lots of new features — see here for an in-depth Pixel 4 breakdown.
Samsung: Et tu, Google!
Google is the second major phone vendor in the past week that has had problems with its biometrics authentication systems.
Earlier today, Samsung confirmed they were working on a fix for a bug that allowed a bypass of the fingerprint sensor authentication of Galaxy S10, S10+, S10e, and Note 10 handsets.
The bug was discovered by a British couple last week. According to the two, using a custom screen protector would neutralize the fingerprint sensor, which would unlock the device with anyone’s fingerprint, not just those registered on the phone.
Samsung S10’s facial recognition didn’t fare much better either. A user discovered earlier this year that the S10’s facial recognition feature could be bypassed with a video of the owner playing on another phone.
Facial recognition software is usually pretty inefficient, especially on smartphones. For example, users bypassed the facial recognition on a Samsung S8 using a photo, they bypassed Apple’s FaceID feature on an iPhone X with a $150 mask, they broke into many top tier Android phones using a 3D-printed head, and they used the same 3D printed head method to gain access to a Windows 10 device protected by the Windows Hello biometrics solution.
In fact, the issue with bypassing facial recognition is quite widespread. A study by a Dutch non-profit last year found that attackers could bypass face unlock-type features on 42 out of the 110 smartphones they tested.