Criminals can use a 2D photograph to unlock face recognition on some smartphones, exploiting this crucial flaw to gain access and steal personal information.
Mobile phones from Honor, Motorola, Nokia, Oppo, Samsung, Vivo and Xiaomi have unlocking systems that use facial recognition that can be tricked by a regular printed picture, Which? research found out.
The consumer body is concerned that a huge amount of sensitive information could be accessed by scammers exploiting this weakness. For example, the Google Wallet app is available to download on all the affected phones, has a reported 150 million users worldwide, and allows consumers to upload their bank cards to pay for things using contactless payments systems from their phone.
Of the 48 new smartphones consumer body Which? sent to the lab for testing, 19 phones (40%) could be easily opened with a printed photograph, meaning crooks could get through the phone's lock screen and gain access to the phone. Worryingly, Which? said, the photos were not even particularly high resolution and were printed on a standard office printer on normal paper.
Xiaomi had seven phones that could be exploited, while Motorola had four. Nokia, Oppo and Samsung each had two, and Honor and Vivo had one affected model each.
The majority of the phones that failed this biometric test were at the cheaper to mid-range end of the market, with prices from £89.99 for the Motorola Moto E13, but more expensive handsets could also be tricked, such as the Motorola Razr 2022, which launched with a price tag of almost £1,000.
Lisa Barber, Which? tech editor, said: “It’s unacceptable that brands are selling phones that can easily be duped using a 2D photo, particularly if they are not making their customers aware of this vulnerability. Our findings have really worrying implications for people’s security and susceptibility to scams.
“We would strongly advise anyone using these phones to turn off face recognition and use the fingerprint sensor, a strong password or long PIN instead.
“This needs to be a wake up call for manufacturers – they need to step up and improve the security of their biometric systems against spoofing.”
Users in the UK can make contactless payments with Google Wallet up to £45 without needing to unlock the phone. Google told Which? that for higher value transactions, users must use a more secure Class 3 biometric unlock.
This should mean that people using the models that Which? was able to spoof are not able to complete transactions over £45 if face recognition is being used to unlock the phone.
All the Apple phones Which? tested passed the spoofing tests. Apple’s Face ID is a more robust system using sensors to create a 3D depth map of your face.
In response to the findings, Honor told Yahoo Finance UK its mobiles also have fingerprint technology.
“HONOR 70 and [all] other smartphones in our portfolio that offer this solution are usually complemented with Fingerprint technology that is typically far more secure. Ultimately, we leave the choice to the consumer to use the secure option they prefer," it said.
Watch: The CyberGuy Kurt Knutsson provides tips to keep your phone safe