Google's Face unlock on the Pixel 4 series has a major security flaw

Google's Face unlock on the Pixel 4 series has a major security flaw
Back in September, we pointed out some issues with Google's Face unlock, the facial recognition system that is the only biometric security option on the Pixel 4 series. Discovered on a Pixel 4 XL obtained before the unveiling by Nextrift, a screenshot revealed that the feature could unintentionally unlock a new Pixel if a user is merely staring at his phone. In addition, the phone can be unlocked by someone who looks a lot like the phone's owner like a twin, a sibling, or a doppelganger. And the phone could be unlocked against the will of the owner if someone puts it up to his face with his eyes open.

Today though, an even more frightening security issue was discovered on Google's Face unlock support page (via BBC News). The Face unlock settings in the aforementioned screenshot show a toggle option that can be enabled forcing the phone owner to have his eyes open to use Face unlock. However, this option will not appear in the Pixel 4 models set to ship next week and Google wouldn't say whether it plans on adding this in a future update. Here is why it is important. If someone looking to get into a Pixel 4 grabs the device and puts it up to the owner's face, it will unlock. Apple, by default, requires an iPhone or iPad Pro user to be alert with open eyes to unlock a device with Face ID. This allows a person to keep his eyes shut in order to prevent his iPhone or iPad Pro from being unlocked against his will.

Cyber-security experts are concerned about the security of the Pixel's Face unlock


Google has responded to today's news by stating that "Pixel 4 Face unlock meets the security requirements as a strong biometric." And Pixel product manager Sherry Lin said before the unveiling this week that only two facial recognition systems meet the definition of being super secure in order to verify payments. Those two are Google's Face unlock and Apple's Face ID.


What makes Google and Apple's facial recognition systems so secure is that they both create 3D maps of the owner's face. Apple uses a technology called Structured Light that projects stripes on a subject that cannot be seen by the naked eye. Distortions in the pattern are recognized by the camera and help it produce the 3D map. An image Google disseminated revealing that the forehead on the new Pixels contains a Face unlock dot projector, a flood illuminator, and two infrared cameras suggest that it is using a similar method for secure facial recognition.

The BBC's Chris Fox tested Face unlock on a Pixel 4 and discovered that it will open the phone even if the owner is asleep. Fox also confirmed that the Pixel 4 he received did not feature the toggle option that allows the owner of the device to set the biometric feature not to work if his eyes are closed. The lack of this option has security experts like Graham Cluley concerned. "If someone can unlock your phone while you're asleep, it's a big security problem," Cluley said to BBC News. "Someone unauthorized - a child or partner? - could unlock the phone without your permission by putting it in front of your face while you're asleep. I wouldn't trust it to secure the private conversations and data on my phone." 

The Pixel 4 Face unlock works in conjunction with the phone's radar-based Soli chip. When a Pixel user starts to reach for his phone, the movement is detected by the Soli chip and Face unlock is turned on. This way, the user can, in one motion, pick the phone up off of the desk and have it unlocked with his face.

As for the security issue that Face unlock currently has, Google says, "We will continue to improve Face Unlock over time." It also points out that users can enable the lockdown mode which disables Face unlock and forces device owners to unlock their handset by using a PIN, password or pattern.

Related phones

Pixel 4
  • Display 5.7" 1080 x 2280 pixels
  • Camera 12.2 MP / 8 MP front
  • Processor Qualcomm Snapdragon 855, Octa-core, 2840 MHz
  • Storage 64 GB
  • Battery 2800 mAh
Pixel 4 XL
  • Display 6.3" 1440 x 3040 pixels
  • Camera 12.2 MP / 8 MP front
  • Processor Qualcomm Snapdragon 855, Octa-core, 2840 MHz
  • Storage 64 GB
  • Battery 3700 mAh

FEATURED VIDEO

37 Comments

1. OneLove123

Posts: 1250; Member since: Aug 28, 2018

Thanks, I’ll get the pixel 4 xl.

2. lyndon420

Posts: 6868; Member since: Jul 11, 2012

Biometric unlocking is a joke on any phone, and (honestly) is something that should be avoided entirely...

3. blingblingthing

Posts: 980; Member since: Oct 23, 2012

Just so that everyone is aware, the same vulnerability existed with a FPS because you could use it when the owner was asleep. I don't think this stopped anyone from claiming the iPhone 5s was secure and cutting edge technology.

10. chris2k5

Posts: 291; Member since: Nov 17, 2012

Didn’t Samsung just find out that the screens on their phones allowed anyone to access the phone with any fingerprint?

13. lyndon420

Posts: 6868; Member since: Jul 11, 2012

Yes...with a particular screen protector that was applied to the screen. I'd like to see this same screen protector applied to all other phones (including apples's) to see if this is just a Samsung problem, or possibly a wide spread problem...

12. Dr.Phil

Posts: 2482; Member since: Feb 14, 2011

I think the difference is a fingerprint scanner requires you to actually touch the person which could risk waking them up.

4. darkkjedii

Posts: 31529; Member since: Feb 05, 2011

Just get a Note 10+, and use a PIN. Best phone out, bar none.

5. Locked-n-Loaded

Posts: 42; Member since: Sep 13, 2019

WTF is the purpose of biometrics in screen? It's so lamely disfunctional across the board on so many phones. Just do a good old proven reliable finger print reader on the power BUTTON. This is a prime example of one of those features phone companies just continue to push over and over that ultimately doesn't really even matter

9. chris2k5

Posts: 291; Member since: Nov 17, 2012

Fingerprint scanner is horrible. Someone can just use ur finger when ur dead to access your phone.

22. Vancetastic

Posts: 1710; Member since: May 17, 2017

I don't think they work when you're dead. Also, if you're already dead, who cares?

31. TBomb

Posts: 1650; Member since: Dec 28, 2012

I believe you're right... Living things have an electric current (or something.. im not a scientist and don't understand it 100%) but that's how touchscreens work for fingers and not for a winter glove. The phone doesn't go "oh hey, that's human skin! Let's register the touch!" But it might be possible to use your own current an go through the dead person's finger? idk Anyone got a dead person on their hands to try it out? (pun intended)

33. Vancetastic

Posts: 1710; Member since: May 17, 2017

Time for a visit to the morgue! I have a hospital just a few blocks from me.

11. lyndon420

Posts: 6868; Member since: Jul 11, 2012

@Locked-n-Loaded Why stop there? A good old fashioned pin code can't be stolen from you while you're sleeping or awake. And it still falls under rights of the constitution...your prints and iris/facial information can be forced from you, but demanding a passcode that you hide away inside your brain is still considered highly illegal...at least for the time being.

6. jjface

Posts: 256; Member since: Jun 07, 2017

If anything it might just save your life. Criminal grabs phone and it won't easily unlock. Said criminal kidnaps you to work on it or threatens violence if you don't unlock. You refuse and criminal beats you to death. I doubt you holding your eyes shut will deter them. I guess you are at risk of the grab and go type thief.

7. mackan84

Posts: 616; Member since: Feb 13, 2014

https://www.bbc.com/news/technology-50080586 S10 and screen protectors makes the in screen FPS work for anyone

15. cmdacos

Posts: 4313; Member since: Nov 01, 2016

Cheap unsupported screen protectors and even then, requires specific circumstances in order to bypass.

17. mackan84

Posts: 616; Member since: Feb 13, 2014

I don’t really care, none of these biometrics are bulletproof, and never will be until they are controlled by our mind. If you ask yourself if you want it for safety or convenience, I bet it’ll be for convenience. If someone robs you at most they might find personal texts or photos at most. Unless you’re some CEO with secret notes that should have their own pws anyways. And if they want to shop on my Apple Pay for instance then their going to need my face for every purchase. And by the time they reach the store I would hopefully been able to reach a phone to make my cards useless.

18. maherk

Posts: 7007; Member since: Feb 10, 2012

I know you're trying to defend Samsung and blame it on the users in this instance, when in fact your comment is more incriminating lol You're basically saying, if you want to get into someone's Galaxy S10 or Note 10, it'll cost you few bucks to do so. And funny how you mock Apple for the "your holding it wrong" statement, yet you're using the same excuse when it's Samsung.

8. chris2k5

Posts: 291; Member since: Nov 17, 2012

Google trying to copy Apples tech but they can’t replicate the security.

14. darkkjedii

Posts: 31529; Member since: Feb 05, 2011

Has Apple ever copied?

19. Ikechukwu

Posts: 261; Member since: Oct 03, 2011

like there's just no need to answer clowns that don't make no sense lol

23. Vancetastic

Posts: 1710; Member since: May 17, 2017

I can't this guy has been trolling here for almost seven years. Get a hobby!

32. darkkjedii

Posts: 31529; Member since: Feb 05, 2011

He knew not to reply, or I woulda grilled him.

34. Vancetastic

Posts: 1710; Member since: May 17, 2017

That's what these idiots do. Drop a load, then run away without even flushing.

16. dnomadic

Posts: 437; Member since: Feb 20, 2015

Beyond stupid... as if thieves are waiting to hold your phone to you face... as if people that sleep in the same home as are untrustworthy ... if they are, then you and your friends are the risk... non-issue Every biometric solution has proved to have a flaw, but most are EXTREMELY unlikely to cause an issue (same with pins and passcodes)

26. Vokilam

Posts: 1347; Member since: Mar 15, 2018

This was needed to be said. I love my FaceID, but if i was to have anything worth on my phone, I'd never use it, or any biometric. Fortunately, NONE OF YOU, or myself are that interesting to steal info from your phone. I have played with my face ID with people that even remotely look like me, photos/videos of me, and what-have-you: NOT ONCE it unlocked my phone. So I do trust it. But it needs to be said, that having someone to snatch your phone, then point it to your face to unlock and then run away is extremely unlikely scenario. Pocket pickers will not identify themselves in that manner. But lets say they are that stupid - most of the important stuff like bank apps requires another log in, NFC payments require another log in, even changing the login password or train face id to another face (for future unlocks) requires a passcode log-in. Any system operations such as factory resetting your phone requires another log in. I'm sure its' the same for the Android on Pixel phones as well. The phone is basically as useful to a thief as the sum of parts its made of regardless whether it's locked or unlocked. So I wouldnt put too much worry into this. I'm surprised that Google didnt implement "open-eyes awareness" feature like on Face ID (it's been years that iPhone had this - should be easy to reverse-engineer), but I dont run multi-billion corporations, so i'm sure they have a good reason. If that's the only issue - I'll still gladly take it. It's about time Android has their FaceID version. I cannot have a phone without it..

20. iloveapps

Posts: 909; Member since: Mar 21, 2019

still better than Samsung where people use 3rd party screen protector and their phone can be easily access thru fingerprint and random access passcode.

21. mohsin845

Posts: 48; Member since: Apr 05, 2014

Google Face ID....Joke of the year.

24. Vancetastic

Posts: 1710; Member since: May 17, 2017

Well, this isn't a good look. I do wonder...as fast as these things scan and unlock, would you have the presence of mind to quickly close your eyes if someone suddenly grabs your phone?

25. photo3

Posts: 30; Member since: Mar 11, 2016

All they have to do is add the toggle and problem solved. Why the need to bring up apple, or samsung. I think the pixel buyers will love opening apps using Face ID, it’s seamless and feels like the next step forward when signing into apps compared to finger print. Although the first phone with both for when your phone is laying down will probably be the best complete solution.

Latest Stories

This copy is for your personal, non-commercial use only. You can order presentation-ready copies for distribution to your colleagues, clients or customers at https://www.parsintl.com/phonearena or use the Reprints & Permissions tool that appears at the bottom of each web page. Visit https://www.parsintl.com/ for samples and additional information.