Face unlock systems on smartphones tricked with printed face picture

Since August 2022, the consumer firm has tested 48 new smartphones of which 19 (40 per cent) can be easily spoofed with a photo to get past the phone’s lock screen and gain access to the data on the device.

The testers said that photos of the user, whose real-life image was registered with the device, were not even particularly high-resolution and were printed on a standard office printer on normal, rather than photo, paper.

The flaw could be exploited by criminals to unlock the screen and steal personal information, the research concluded.

The majority of the phones that failed the test were at the cheaper to mid-range end of the market, with prices from £89.99 for the Motorola Moto E13.

Prices go up to much more expensive handsets, too, such as the Motorola Razr 2022, which launched with a pricetag of almost £1,000 (£949.99).

Other high-end devices, such as Apple's iPhone and Honor’s recently-released Magic5 Pro, use a laser to create a 3D map of the user’s faces for a greater degree of security. All the Apple handsets that Which? tested passed the spoofing tests and many banking apps only allow face recognition as a security measure on Apple iPhones.

Which? found that Xiaomi had seven phones that could be exploited, while Motorola had four. Nokia, Oppo and Samsung each had two, while Honor and Vivo had one affected model respectively.

It said that “a huge amount of sensitive information” could be accessed by scammers exploiting this weakness, such as the Google Wallet app which allows consumers to upload their bank cards to pay for transactions using contactless payment systems directly from their phone.

Users in the UK can make contactless payments with Google Wallet up to £45 without needing to unlock the phone.

Google told Which? that for higher-value transactions, users must use a more secure Class 3 biometric unlock. This should mean that people using the models that Which? was able to spoof are not able to complete transactions over £45 if face recognition is being used to unlock the phone.

However, where a 2D photograph has been used to unlock the phone, the Google Wallet app may contain other sensitive information useful to scammers, such as the bank a user holds an account with and the last four digits of their debit and credit card numbers.

The app may also contain information about recent transactions, such as where users shopped and how much they paid, which could help a thief answer security questions in to order to gain greater access to a bank account.

The European Telecommunications Standards Institute has published a voluntary standard that states 2D facial recognition must not exceed being duped 1 in 50,000 times, yet Which? research suggests affected phones may go above this limit.

Lisa Barber, technology editor at Which?, said: “It’s unacceptable that brands are selling phones that can easily be duped using a 2D photo, particularly if they are not making their customers aware of this vulnerability. Our findings have really worrying implications for people’s security and susceptibility to scams.

“We would strongly advise anyone using these phones to turn off face recognition and use the fingerprint sensor, a strong password or long PIN instead.

“This needs to be a wake-up call for manufacturers: they need to step up and improve the security of their biometric systems against spoofing.”

An Honor spokesperson said: “Honor 70 and [all] other smartphones in our portfolio that offer this solution are usually complemented with Fingerprint technology that is typically far more secure. Ultimately, we leave the choice to the consumer to use the secure option they prefer."