Google's Face unlock on the Pixel 4 series has a major security flaw

Back in September, we pointed out some issues with Google's Face unlock, the facial recognition system that is the only biometric security option on the Pixel 4 series. Discovered on a Pixel 4 XL obtained before the unveiling by Nextrift, a screenshot revealed that the feature could unintentionally unlock a new Pixel if a user is merely staring at his phone. In addition, the phone can be unlocked by someone who looks a lot like the phone's owner like a twin, a sibling, or a doppelganger. And the phone could be unlocked against the will of the owner if someone puts it up to his face with his eyes open.

Today though, an even more frightening security issue was discovered on Google's Face unlock support page (via BBC News). The Face unlock settings in the aforementioned screenshot show a toggle option that can be enabled forcing the phone owner to have his eyes open to use Face unlock. However, this option will not appear in the Pixel 4 models set to ship next week and Google wouldn't say whether it plans on adding this in a future update. Here is why it is important. If someone looking to get into a Pixel 4 grabs the device and puts it up to the owner's face, it will unlock. Apple, by default, requires an iPhone or iPad Pro user to be alert with open eyes to unlock a device with Face ID. This allows a person to keep his eyes shut in order to prevent his iPhone or iPad Pro from being unlocked against his will.

Google has responded to today's news by stating that "Pixel 4 Face unlock meets the security requirements as a strong biometric." And Pixel product manager Sherry Lin said before the unveiling this week that only two facial recognition systems meet the definition of being super secure in order to verify payments. Those two are Google's Face unlock and Apple's Face ID.

What makes Google and Apple's facial recognition systems so secure is that they both create 3D maps of the owner's face. Apple uses a technology called Structured Light that projects stripes on a subject that cannot be seen by the naked eye. Distortions in the pattern are recognized by the camera and help it produce the 3D map. An image Google disseminated revealing that the forehead on the new Pixels contains a Face unlock dot projector, a flood illuminator, and two infrared cameras suggest that it is using a similar method for secure facial recognition.

The BBC's Chris Fox tested Face unlock on a Pixel 4 and discovered that it will open the phone even if the owner is asleep. Fox also confirmed that the Pixel 4 he received did not feature the toggle option that allows the owner of the device to set the biometric feature not to work if his eyes are closed. The lack of this option has security experts like Graham Cluley concerned. "If someone can unlock your phone while you're asleep, it's a big security problem," Cluley said to BBC News. "Someone unauthorized - a child or partner? - could unlock the phone without your permission by putting it in front of your face while you're asleep. I wouldn't trust it to secure the private conversations and data on my phone." 

The Pixel 4 Face unlock works in conjunction with the phone's radar-based Soli chip. When a Pixel user starts to reach for his phone, the movement is detected by the Soli chip and Face unlock is turned on. This way, the user can, in one motion, pick the phone up off of the desk and have it unlocked with his face.

As for the security issue that Face unlock currently has, Google says, "We will continue to improve Face Unlock over time." It also points out that users can enable the lockdown mode which disables Face unlock and forces device owners to unlock their handset by using a PIN, password or pattern.

Proof, for those asking #madebygoogle#pixel4pic.twitter.com/mBDJphVpfB

— Chris Fox (@thisisFoxx) October 15, 2019