Mobile phones from Honor, Motorola, Nokia, Oppo, Samsung, Vivo and Xiaomi have face unlock systems that can be fooled by a printed 2D photograph, a flaw that could be exploited by criminals to unlock the screen and steal personal information, Which? research has found.
The consumer champion is concerned that face recognition, which is often promoted as one of the most secure ways to unlock a phone, could inadvertently allow scammers to bypass the screen lock on certain Android phones and access logged-in apps which contain a range of sensitive information.
Since August 2022, Which? has sent 48 new smartphones to the lab for testing and of these, 19 new phones (40%) can be easily spoofed with a photo to get through the phone’s lock screen and gain access to the phone. Worryingly the photos – of the user whose real-life image was registered with the device – were not even particularly high resolution and were printed on a standard office printer on normal, rather than photo, paper.
The majority of the phones that failed this simple biometric test by Which? were at the cheaper to mid-range end of the market, with prices from £89.99 for the Motorola Moto E13, but prices go up to much more expensive handsets too, such as the Motorola Razr 2022, which launched at almost £1,000 (£949.99).
Xiaomi had seven phones that could be exploited, while Motorola had four. Nokia, Oppo and Samsung each had two and Honor and Vivo had one affected model respectively.
Which? is concerned that a huge amount of sensitive information could be accessed by scammers exploiting this weakness. For example, the Google Wallet app is available to download on all the affected phones, has a reported 150 million users worldwide, and allows consumers to upload their bank cards to pay for things using contactless payments systems from their phone.
Users in the UK can make contactless payments with Google Wallet up to £45 without needing to unlock the phone. Google told Which? that for higher value transactions, users must use a more secure Class 3 biometric unlock. This should mean that people using the models that Which? was able to spoof are not able to complete transactions over £45 if face recognition is being used to unlock the phone.
Which? suspects the face recognition on affected phones from its research should be categorised as a Class 1 Biometric (which is the least secure) as its lab tests revealed the face recognition systems can be fooled with 2D photographs easily and repeatedly. Android does not permit phones in this category being used by third-party apps to sign in or to confirm important actions.
However, where a 2D photograph has been used to unlock the phone, and like so many apps on phones, the Google Wallet app may contain other sensitive information useful to scammers. The credit or debit cards registered tell the scammer who people bank with, and may display the last 4 digits of their card numbers. The app may also contain information about recent transactions like where users shopped and how much they paid that might help them answer security questions. So if the phone’s screen is unlocked with a 2D photograph, this and other information stored in unprotected apps could be at risk.
Most, but not all banks, responded to Which?’s research with details of how they mitigate these types of issues on their banking apps. Banking apps usually employ additional requirements or a number of authentication measures for a customer’s higher risk actions.
All the Apple phones Which? tested passed the spoofing tests. Apple’s Face ID is a more robust system using sensors to create a 3D depth map of your face. This could be why a lot of banking apps only allow face recognition as a security measure on Apple iPhones.
Currently there are no laws that hold phone manufacturers to account over the quality of biometric security for smartphones. However, there are voluntary standards in place on how these systems should operate on mobile phones and how often they can be spoofed to still be viewed as secure, but these are not mandatory. For example, the European Telecommunications Standards Institute has published a voluntary standard that states 2D Facial recognition must not exceed being duped 1 in 50,000 times, yet Which? research suggests affected phones may go above this limit.
Google told Which? it was working with the industry on a certification programme based on this standard.
Which? has removed its Best Buy and Great Value recommendations from the phones that can be fooled with a 2D photograph.
For consumers that own one of the models with this fundamental flaw, Which? is recommending people turn off face recognition and use the fingerprint sensor, or a password or PIN at least six digits long instead.
Which? is calling on manufacturers to improve the security of their biometric systems against spoofing, and to acknowledge and properly inform consumers about the limitations of some types of facial recognition.
Lisa Barber, Which? Tech Editor, said:
“It’s unacceptable that brands are selling phones that can easily be duped using a 2D photo, particularly if they are not making their customers aware of this vulnerability. Our findings have really worrying implications for people’s security and susceptibility to scams.
“We would strongly advise anyone using these phones to turn off face recognition and use the fingerprint sensor, a strong password or long PIN instead.
“This needs to be a wake up call for manufacturers – they need to step up and improve the security of their biometric systems against spoofing.”
Notes to editors
From August 2022, Which? labs were able to easily fool the face recognition systems on the following phones with a printed 2D photograph:
Motorola Razr 2022, Motorola Moto E13, Motorola Moto G13, Motorola Moto G23
Nokia G60 5G, Nokia X30 5G
Oppo A57, Oppo A57s
Samsung Galaxy A23 5G, Samsung Galaxy M53 5G
Vivo Y76 5G
Xiaomi POCO M5, Xiaomi POCO M5s, Xiaomi POCO X5 Pro, Xiaomi 12T, Xiaomi 12T Pro, Xiaomi 12 Lite, Xiaomi 13
Which? recommends: turn off your face recognition and lock your apps
On all of the affected handsets, face recognition is an optional security feature, so Which? recommends you turn it off and use the fingerprint sensor, or a password or PIN instead.
Long PINS, at least six digits, are generally more secure and if you can set up a password, use different characters so it’s harder to guess.
Which? recommends setting up protections on your apps that contain sensitive information too – this could involve logging out when you’re not using them, or setting up passwords or biometric locks.
It is recommended you set up a second lock on your Google Wallet app. This can be a PIN, pattern, password, logged fingerprint or Iris scan, depending on what your phone offers.
Extra information on biometric security class systems
The phones that were fooled by a photograph in Which?’s tests run on Android’s operating system. Manufacturers must ensure their devices and software meet Android’s requirements in order to run on the software and be “Android compatible”. This involves how often a device’s security measures can be fooled to still be viewed as secure. Class 3 systems have the highest level of biometric security and must not accept spoofs more than 7% of the time, Class 1 systems are the least secure, with a spoof rate of 20% of the time or more.
Which? suspects the face recognition on affected phones from its research should be categorised as a Class 1 Biometric as its lab tests revealed the face recognition systems can be fooled with 2D photographs easily and repeatedly. Only Nokia confirmed this was the classification for its affected handsets. Android prevents this class of biometric from being used by third party apps for things like signing in or to confirm important actions.
Right of replies
Android told Which? that hardware OEMs (Original Equipment Manufacturers) alone choose the tier of biometric strength they implement in their products and for device unlock, and it’s also their responsibility to ensure the security of their product can meet Android Compatibility Definition Document requirements. Class 1 biometrics are intended to be more constrained and App developers choose whether they require Class 2 or Class 3 biometrics for app-sign in and actions.
It told Which? it is constantly working with the Android OEM ecosystem to raise the bar for user security. Android is actively participating in a working group with GSMA for a smartphone security certification program that will bring more transparency to users.
Google (Google Wallet)
Google confirmed that for convenience, users in certain regions, including the UK, can make a limited number of low value transactions without needing to authenticate via face unlock.
For security, to make higher value contactless payments with Google Wallet, users must authenticate via a Class 3 biometric face unlock on their device. Setting up a more secure authentication method (PIN/pattern/passcode/Class 3 biometric) is required as part of setting up a contactless payment method in Google Wallet.
Nokia confirmed its affected phones have facial recognition software that do not have privileges in third party apps, and they tell customers that the phone can be unlocked by someone who looks a lot like them. In its own testing with printed pictures, it did not register any issues.
Samsung told Which?:
“We provide various levels of biometric authentication, with the highest level of authentication from the fingerprint reader. In addition, we provide users with multiple options to unlock their smartphones through both biometric security methods, and convenient options such as swipe or facial recognition. Further information about facial recognition can be found via the settings on Samsung Galaxy smartphones.”
Vivo agreed that on an industry level, the 2D facial recognition is an elementary security measure. It told Which? that it tells customers during the phone’s set up process that face recognition is less secure than other locks they offer. This includes that the face recognition may be unlocked by people or objects that look similar to the consumer. The consumer is prompted to review and agree to the noted Privacy Terms before setting up the 2D facial recognition system.
Honor, Motorola, Oppo and Xiaomi
Which? contacted these brands for comment but had not heard back at the time of writing.
Which? is the UK’s consumer champion, here to make life simpler, fairer and safer for everyone. Our research gets to the heart of consumer issues, our advice is impartial, and our rigorous product tests lead to expert recommendations. We’re the independent consumer voice that influences politicians and lawmakers, investigates, holds businesses to account and makes change happen. As an organisation we’re not for profit and all for making consumers more powerful.
The information in this press release is for editorial use by journalists and media outlets only. Any business seeking to reproduce information in this release should contact the Which? Endorsement Scheme team at email@example.com.