Security firm claims to thwart iPhone X’s Face ID with a mask

When Apple introduced Face ID security alongside the iPhone X, it boasted that even Hollywood-quality masks couldn’t fool the system. It might not be a question of movie-like authenticity, however — security researchers at Bkav claim to have thwarted Face ID by using a specially-built mask. Rather than strive for absolute realism, the team built its mask with the aim of tricking the depth-mapping technology. The creation uses hand-crafted “skin” made specifically to exploit Face ID, while 3D printing produced the face model. Other parts, such as the eyes, are 2D images. The proof of concept appears to work, as you can see in the clip below. The question is: do iPhone X owners actually have to worry about it?

The researchers maintain that they didn’t have to ‘cheat’ to make this work. The iPhone X was trained from a real person’s face, and it only required roughly $ 150 in supplies (not including the off-the-shelf 3D printer). The demo shows Face ID working in one try, too, although it’s not clear how many false starts Bkav had before producing a mask that worked smoothly. The company says it started working on the mask on November 5th, so the completed project took about 5 days.

When asked for comment, Apple pointed us to its security white paper outlining how Face ID detects faces and authenticates users.

Is this a practical security concern for most people? Not necessarily. Bkav is quick to acknowledge that the effort involved makes it difficult to compromise “normal users.” As with fake fingers, this approach is more of a concern for politicians, celebrities and law enforcement agents whose value is so high that they’re worth days of effort. If someone is so determined to get into your phone that they build a custom mask and have the opportunity to use it, you have much larger security concerns than whether or not Face ID is working.

More than anything, the seeming achievement emphasizes that biometric sign-ins are usually about convenience, not completely foolproof security. They make reasonable security painless enough that you’re more likely to use it instead of leaving your device unprotected. If someone is really, truly determined to get into your phone, there’s a real chance they will — this is more to deter thieves and nosy acquaintances who are likely to give up if they don’t get in after a few attempts.

Source: Bkav

Engadget RSS Feed

The best wireless outdoor home security camera

By Rachel Cericola

This post was done in partnership with The Wirecutter, a buyer’s guide to the best technology. When readers choose to buy The Wirecutter’s independently chosen editorial picks, it may earn affiliate commissions that support its work. Read the full article here.

After spending almost three months looking, listening, adjusting angles, and deleting over 10,000 push notifications and emails, we’ve decided that the Netgear Arlo Pro is the best DIY outdoor Wi-Fi home security camera you can get. Like the other eight units we tested, the Arlo Pro lets you keep an eye on your property and provides smartphone alerts whenever there’s motion. However, it’s one of the few options with built-in rechargeable batteries to make it completely wireless, so it’s easy to place and move. It also delivers an excellent image, clear two-way audio, practical smart-home integration, and seven days of free cloud storage.

Who should get this

A Wi-Fi surveillance camera on your front porch, over your garage, or attached to your back deck can provide a peek at what really goes bump in the night, whether that’s someone stealing packages off your steps or raccoons going through garbage cans. It can alert you to dangers and can create a record of events. It should also help you to identify someone—and if it’s a welcome or unwelcome guest—or just let you monitor pets or kids when you’re not out there with them.

How we picked and tested

Photo: Rachel Cericola

During initial research, we compiled a huge list of outdoor security cameras recommended by professional review sites like PCMag, Safewise, and, as well as those available on popular online retailers. We then narrowed this list by considering only Wi-Fi–enabled cameras that will alert your smartphone or tablet whenever motion is detected. We also clipped out all devices that required a networked video recorder (NVR) to capture video, focusing only on products that could stand alone.

Once we had a list of about 27 cameras, we went through Amazon and Google to see what kind of feedback was available. We ultimately decided on a test group based on price, features, and availability.

We mounted our test group to a board outside of our New England house, pointed them at the same spot, and exposed them all to the same lighting conditions and weather. The two exceptions were cameras integrated into outdoor lighting fixtures, both of which were installed on the porch by my husband, a licensed electrician. All nine cameras were connected to the same Verizon FiOS network via a Wi-Fi router indoors.

Besides good Wi-Fi, you may also need a nearby outlet. Only three of the cameras we tested offered the option to use battery power. Most others required an AC connection, which means you won’t be able to place them just anywhere.

We downloaded each camera’s app to an iPhone 5, an iPad, and a Samsung Galaxy S6. The cameras spent weeks guarding our front door, alerting us to friends, family members, packages, and the milkman. Once we got a good enough look at those friendly faces, we tilted the entire collection outward to see what sort of results we got facing the house across the street, which is approximately 50 feet away. To learn more about how we picked and tested, please see our full guide.

Our pick

The Arlo Pro can handle snow, rain, and everything else, and runs for months on a battery charge. Photo: Rachel Cericola

The Arlo Pro is a reliable outdoor Wi-Fi camera that’s compact and completely wireless, thanks to a removable, rechargeable battery that, based on our testing, should provide at least a couple of months of operation on a charge. It’s also the only device on our list that offers seven days of free cloud storage, and packs in motion- and audio-triggered recordings for whenever you get around to reviewing them.

The Arlo Pro requires a bridge unit, known as the Base Station, which needs to be powered and connected to your router. The Base Station is the brains behind the system, but also includes a piercing 100-plus–decibel siren, which can be triggered manually through the app or automatically by motion and/or audio.

With a 130-degree viewing angle and 720p resolution, the Arlo Pro provided clear video footage during both day and night, and the two-way audio was easy to understand on both ends. The system also features the ability to set rules, which can trigger alerts for motion and audio. You can adjust the level of sensitivity so that you don’t get an alert or record a video clip every time a car drives by. You can also set up alerts based on a schedule or geofencing using your mobile device, but you can’t define custom zones for monitoring. All of those controls are easy to find in the Arlo app, which is available for iOS and Android devices.

If you’re looking to add the Arlo Pro to a smart-home system, the camera currently works with Stringify, Wink, and IFTTT (“If This Then That”). SmartThings certification was approved and will be included in a future app update. The Arlo Pro is also compatible with ADT Canopy for a fee.


The Nest Cam Outdoor records continuously and produces better images than most of the competition, but be prepared to pay extra for features other cameras include for free. Photo: Rachel Cericola

The Nest Cam Outdoor is a strong runner-up. It records continuous 1080p video, captures to the cloud 24/7, and can actually distinguish between people and other types of motion. Like the Nest thermostat, the Outdoor Cam is part of the Works With Nest program, which means it can integrate with hundreds of smart-home products. It’s also the only model we tested that has a truly weatherproof cord. However, that cord and the ongoing subscription cost, which runs $ 100 to $ 300 per year for the Nest Aware service, is what kept the Nest Cam Outdoor from taking the top spot.

Like our top pick, the Nest Cam Outdoor doesn’t have an integrated mount. Instead, the separate mount is magnetic, so you can attach and position the camera easily. Although it has a lot of flexibility in movement, it needs to be placed within reach of an outlet, which can be a problem outside the house. That said, the power cord is quite lengthy. The camera has a 10-foot USB cable attached, but you can get another 15 feet from the included adapter/power cable.

The Nest Cam Outdoor’s 1080p images and sound were extremely impressive, both during the day and at night. In fact, this camera delivered some of the clearest, most detailed images during our testing, with a wide 130-degree field of view and an 8x digital zoom.

The Nest app is easy to use and can integrate with other Nest products, such as indoor and outdoor cameras, the Nest thermostat, and the Nest Protect Smoke + CO detector. You can set the camera to turn on and off at set times of day, go into away mode based on your mobile device’s location, and more.

This guide may have been updated by The Wirecutter. To see the current recommendation, please go here.

Note from The Wirecutter: When readers choose to buy our independently chosen editorial picks, we may earn affiliate commissions that support our work.

Engadget RSS Feed

2016’s hacks, attacks and security blunders

Just when we thought things couldn’t get worse than 2015’s security and privacy disasters, the asshole known as 2016 came along to trample and pee on any hope we had left for a hack-free, secure future. This was the year Hollywood hacking scare-fantasies like War Games started to feel uncomfortably real. Yay…

This lovely year, our government used Tor exploits, the UK passed its terrible Snooper’s Charter, our TSA failed at cyber, the FBI got its hacking powers expanded and the Shadow Brokers tried to sell NSA secrets. But it’s the stories below that shaped this year in hacking and cybersecurity. They may have even had a hand in changing the course of history for the free world.

All for nothing

All it takes to get the FBI’s panties in a bunch is for someone to say “no” — and bunched they became when the agency wanted to get into an encrypted iPhone related to the San Bernardino shootings. The FBI wanted Apple to build a custom version of iOS with a backdoor. Apple said it not only wouldn’t, but couldn’t break the phone’s encryption for the case, because it would essentially break encryption on every other iPhone. This turned into a knock-down-drag-out fight both in congressional testimony and in the press. Everyone had an opinion, and the encryption debate became a vitriolic and emotional squabble. Eventually, the FBI picked itself up, dusted itself off, and ponied up $ 1.3 million for an exploit that allowed it into the phone.

An unhealthy diagnosis

When the Hollywood Presbyterian Hospital had its files held hostage in February by malware demanding payment, the digital plague known as ransomware finally got everyone’s attention. While not the first emergency service organization to fall victim to these extortion schemes, the hospital’s predicament highlighted the direness of the situation. The hospital was at a standstill with its systems responsible for CT scans, documentation, lab work, pharmacy functions and electronic communications all out of commission. Staff relied on pencil and paper; it was reported that radiation and oncology were temporarily shut down. The hospital eventually paid the ransom and got its files unlocked, and no one was harmed as a result of the disruption (that we know of). Still, it demonstrated just how fragile the systems our lives depend on have become.

Ocean’s 15 is going to be boring

The SWIFT bank heists are the stuff blockbuster films are made of. That is, if we wanted to watch George Clooney sit at a computer mashing keys for about 1,000 hours. In April, hackers swiped $ 81 million from Bangladesh Bank thanks to a flaw in SWIFT international banking software. A bank in Vietnam was also hit with the same technique, to the tune of $ 1 million. Then May saw another round of SWIFT-related bank robberies, in which hackers snatched $ 12 million from an Ecuadorian bank. Most of the attacks targeted Australia, Hong Kong, the UK, the Ukraine and the US, and they probably won’t stop anytime soon. It’s now believed a second group is targeting banks using the same methods, again using malware to cover its tracks via SWIFT.

Offshoring accountability

There was one big hack and dump that actually felt like it wasn’t done with completely evil intentions. That was the Panama Papers leak, in which a boatload of offshore-tax-haven records was released to the public via a handful of global news organizations. The offshore money-laundering firm Mossack Fonesca provided tax-avoidance services mostly to the rich and despotic, who wanted to stay technically within the law but needed to cover their unethical tracks. The resulting scandals prompted the prime minister of Iceland and FIFA ethics-committee member Juan Pedro Damiani to resign. Former UK Prime Minister David Cameron had some fessing up to do; leaders of Sudan and Azerbaijan, Pakistan Prime Minister Nawaz Sharif and Ukraine President Petro Poroshenko were also named in the papers. China’s government went on damage control and demanded reporting on the Papers be stopped after the family members of eight Communist Party elites were shown to have dealings with offshore companies.

Leave Britney alone

Throughout the year, one group managed to ruin the day of many CEOs, companies, and celebrities: social media extortionists extraordinaire OurMine. Grabbing usernames and passwords from breach dumps, finding famous names and seeing if the credentials still work isn’t exactly the work of hacking masterminds. But OurMine has made headlines time and again with this very simple formula. Big names on the “hacked by OurMine” list include Katy Perry, Marvel, Mark Zuckerberg, Google’s Sundar Pichai, Yahoo’s Marissa Mayer, AOL’s Steve Case and Twitter CEO Jack Dorsey. They proved that even the people who should know better reuse passwords, and companies aren’t doing a good enough job at telling users to change their passwords after a breach. Though, we can note with a small amount of dark amusement that one of its recent victims is Sony … which you’d think would know all about password and security hygiene by now.

What’s the opposite of security?

If there was a contest for getting embarrassingly hacked and being the worst at user security, Yahoo surely became the reigning queen of 2016. In fact, they won the race to the bottom so hard this year, the company may be hanging onto the crown for years to come. When Yahoo revealed in September it had been hacked in 2014, just after its sale began to Verizon, the truth started coming out. That incident affected a jaw-dropping 500 million Yahoo users. Turns out this was only one of the intrusions Yahoo failed to tell us about, because this month it revealed that it was hacked again, in 2013. This time, it took the crown for the biggest exposure of customer records and credentials, ever — with over 1 billion accounts coming up pwned in a years-long compromise. Yahoo always had a tough slog when it came to staying afloat, but this year we found out that it really sucked at everything. But most especially security.

When your DVR is a honeypot

There was only one way this year could get worse when it came to hacking, and of course, it happened. Insecure IoT devices were leveraged via the Mirai Botnet to take out about half the internet when PayPal, The New York Times, Pinterest, Spotify, Twitter and many more sites went offline in October. WikiLeaks said it was all about them, everyone blamed Russia, and IoT hackers pretty much just rolled their eyes. The attackers did all this by exploiting the stupid decisions of “smart” appliance companies who left backdoors and default passwords in things like connected cameras and DVRs. The Mirai Botnet incident was only a partial use of the gigantic implanted malware bot-army, so that’s just great. It certainly served as a warning — albeit too late — about security neglect in manufacturing, and just how fragile our internet economy and communications really are.

Like D-Day, but for drama

In July, President-elect Donald Trump invited the Russians to hack us in a very specific way… and they did. So weird, right? They even went the extra mile for him by taking down his Democratic opponent with a series of hacks (and subsequent leaks, via WikiLeaks) that may have swayed the election in the bad hombre’s favor. It was the world’s most painful lesson in cybersecurity. John Podesta got owned through bad advice encouraging him to click a phishing link, and every US state panicked about the vulnerability and hackability of its voting machines. The result has been an ugly, rolling-downhill cyberwar with Russia, pitting the incoming president against the White House and most governmental organizations who believe Russia fucked us over — while Trump defends the 400-lb hackers who made him look good. And not just by physical comparison.

Images: Jaap Arriens/NurPhoto via Getty Images (iPhone); Shutterstock (Yahoo); REUTERS/Dado Ruvic/Illustration (Mossack Fonseca)

Engadget RSS Feed

Democrats wants to balance liberty and security in encryption debate

In 2012, the Democratic party platform document (released every four years at the Democratic National Convention) made barely a mention of internet privacy and how it affects US citizens. But that was before Edward Snowden’s revelations. This year, as the DNC kicks off in Philadelphia, the new Democratic Party platform addresses the privacy concerns brought to light in 2013. It also gets into the recent battle over encryption that was highlighted by the FBI trying to force Apple to decrypt an iPhone connected to a murder suspect.

As President Obama said at SXSW this past March, the Democrats will “reject the false choice between privacy interests and keeping Americans safe.” The party’s position is that we can have security while still letting citizens keep a degree of privacy, but we’re still not hearing too much on how it’ll do that. It’s not wildly different than the Republican take on the debate — the party’s platform says it does not want the government to become a “meddlesome monitor” in the tech industry, but it still leaves the door open for accessing encrypted information.

Obama said it’ll take a public discourse to get to a comfortable place on encryption, and the Democratic platform calls for a national dialog on the issue. “We will support a national commission on digital security and encryption to bring together technology and public safety communities to address the needs of law enforcement, protect the privacy of Americans, assess how innovation might point to new policy approaches, and advance our larger national security and global competitiveness interests,” the platform states.

While the platform is light on specifics in regards to the party’s approach to encryption, there are more details on how it’ll keep rolling back the widespread surveillance that came to light thanks to Snowden. The party says it’ll “stand firm against the type of warrantless surveillance of American citizens that flourished during the Bush Administration” and also that it supports “recent reforms to government bulk data collection programs so the government is not collecting and holding millions of files on innocent Americans.” Of course, plenty of these surveillance tactics went on long into Obama’s presidency, but the Democrats aren’t going to mention that here.

Just as in the 2012 platform document, cybersecurity gets a prominent mention. But there’s not a lot of meat in terms of what the party will actually do to make our digital world more secure. The party wants to strengthen cybersecurity, punish those who violate laws and work to build international norms in how we deal with cybersecurity.

That’s not wildly different than the language used in the 2012 platform, but the new document also mentions building on President Obama’s Cybersecurity National Action Plan, which includes the appointment of a federal Chief Information Security Officer. The plan was introduced in February and seems unlikely to pass before the end of Obama’s term, but if elected Hillary Clinton would seek to push it forward.

Some of the plan’s key tenants include modernizing government IT, hiring the aforementioned information security officer, making citizens more aware of the various ways they can protect their online identities (like two-factor authentication) and investing $ 19 billion for cybersecurity in the 2017 budget. That would mark a 35 percent increase over 2016 budget allocation.

Both the 2012 and 2016 platforms make significant mention of the importance of high-speed internet, but the latest document contains a lot more buzzwords of the time: the dreaded Internet of Things and 5G. The platform states the intention to help widely deploy 5G wireless technology that “will not only bring faster internet connections to underserved areas, but will enable the Internet of Things and a host of transformative technologies.”

The party also intends to finish the work done by the Obama administration over the last eight years to “connect every household to high-speed broadband.” 2012’s document state the goal connecting 98 percent of US citizens to high-speed internet; now it seems the Democrats want to close the remaining gap as quickly as possible. These initiatives aren’t radically different than what the Republicans propose, but the Republican platform calls out the current administration for not doing enough to “advance our goal of universal broadband coverage.” That’s not an unreasonable shot: the US has often been criticized for lagging behind other countries in broadband penetration as well as overall speed.

Another place that the 2016 platform differs from the 2012 document is there’s now one lone mention of net neutrality, up from zero four years ago. It’s just one sentence, but at least it’s pretty unequivocal: “Democrats support a free and open internet at home and abroad, and will oppose any effort by Republicans to roll back the historic net neutrality rules that the Federal Communications Commission enacted last year.” Indeed, the Republican platform didn’t mention net neutrality once, not surprising considering the party strongly opposes the protections granted by the FCC under Obama’s watch. If net neutrality is important to you, it’s clear that with one simple sentence the Democrats come out ahead.

Source: 2016 Democratic party platform (PDF)

Engadget RSS Feed