Security

The iPhone X Face ID Hack and the Weapon of Curiosity

In the era of large-scale breaches and cybersecurity protocols, even on the most basic level, everything needs a password.

Last updated: September 15, 2025

An avatar of the author
Anna Ralph
Woman in profile with a dotted digital face scan overlay, illustrating biometric facial recognition security
Key takeawaysThis key takeaway was generated through LLMs crawling the page and coming up with an overview of the content.

The article discusses how researchers from Bkav successfully bypassed Apple’s iPhone X Face ID using a 3D-printed mask and 2D images, highlighting that even advanced biometric systems can be defeated. It frames this technical finding in the broader real-world problem that breaches are inevitable, emphasizing operational impact: organizations must prioritize breach response planning and strong cybersecurity protocols over seeking ‘unhackable’ defenses. Drawing on insights from cybersecurity expert Dick Clarke, the piece argues that preparation, breach plans, and effective incident action are more practical than relying solely on impenetrable systems.

What exactly did Bkav researchers demonstrate about iPhone X Face ID?

Bkav researchers demonstrated that Apple’s Face ID could be bypassed using a makeshift approach combining a 3D-printed mask and 2D images. They reportedly created the mask and images over five days to trick the Face ID system, countering Apple’s claim that there was only a one-in-a-million chance the wrong face could unlock the device. The demonstration was presented as an experiment to show vulnerabilities in the biometric system rather than as a malicious attack.

Why does the article argue that focusing on unhackable systems is insufficient?

The article argues that pursuing ‘unhackable’ systems is insufficient because determined attackers can treat strong defenses as challenges and will find ways around them. It cites the history of biometric controls—numeric passcodes, Touch ID, and now Face ID—each eventually circumvented, and references Dick Clarke’s point that penetration tests are limited because hackers have unlimited time and incentive. Therefore, the emphasis should shift toward building robust breach plans and operational protocols to manage inevitable compromises rather than assuming any system is impregnable.

What practical cybersecurity advice does the article convey from Dick Clarke?

Drawing from Dick Clarke’s insights, the article advises organizations to create and maintain a clear breach plan and know exactly how to act when a breach occurs. Clarke stresses preparation and proper cybersecurity protocol over attempting to prove a system’s invulnerability, warning that an IT breach is a matter of ‘when’ not ‘if.’ The practical takeaway is to focus on incident response readiness and containment strategies to reduce operational impact when breaches happen.

In the era of large-scale breaches and cybersecurity protocols, even on the most basic level, everything needs a password. Precious and private information must be guarded and protected. Whether you’re the owner of an iPhone or the CISO of a multinational corporation, you need to keep your data under wraps and out of the wrong hands.

In recent weeks, it was reported that researchers from Vietnam-based information security firm Bkav found a way to hack the new iPhone X’s facial recognition feature, Face ID, with a makeshift mask composed of 3D printing and 2D images in just 5 days. Basically, the story goes something like this:

Apple: “There is only a one in a million chance that the wrong face could be used to unlock Face ID. This feature could not be fooled by masks.”
Bkav: “Challenge accepted.”
How Bkav tricked iPhone X's Face ID with a mask

The first iPhone started out with a simple numeric passcode. They then introduced Touch ID, which was also eventually hacked, and was “no challenge at all.” With the arrival of the new iPhone X’s Face ID, it wouldn’t be long before bad-intentioned hackers or in this case curious-minded individuals figured out how to trick the new software. The higher we build our walls, the higher people will build their ladders.

However, Bkav did not try to override Face ID because they wanted to. They did it simply to see if they could. They did it for fun – not with malicious intent, but only to prove that Apple’s new software was not as secure as they touted it to be.

This then raises the question: Should we be focusing our efforts on creating unhackable security measures, or should we instead be focusing on how to best and more effectively nip these things in the bud? In our recent webinar with cybersecurity expert Dick Clarke, he mentions the importance of a breach plan and knowing exactly how to act in case of a breach. And as a former Homeland Security Advisor to 3 presidents, it’s safe to say he knows a thing or two about cybersecurity…

Clarke emphasizes the importance of creating proper cybersecurity protocol and being prepared. Clarke goes on to say that a penetration test is futile, as hackers have all the time in the world, and if there’s a will there’s a way. Because what you call unhackable, hackers call a challenge.

Again, the point is not how Bkav managed it; it’s that if people are determined enough and want to access your data, they can get it and they will. We are no longer living in a time of breach or hack prevention. We are living in a time of inevitability. As Dick Clarke warned, “It’s no longer a matter of if, but when, an IT breach will occur.”

Published in:

Security

Published on: December 8, 2017

An avatar of the author

Anna is a passionate content writer who’s always eager to learn something new about cyber security.

Related content

Close-up of interlocked metal chain links symbolizing connected network objects and relationships in IPAM
Blog

How to map your network with user-defined links in Integrity X

Map your network with user-defined links in Integrity X to define and manage custom relationships, such as dual-stack and NAT environments.

Read more
Flock of geese flying in formation across a blue sky, framed by a pink graphic border, symbolizing coordinated network migrat
Blog

Automate your DDI modernization path by migrating with Micetro

Automate cross-platform DNS and DHCP migration with Micetro to reduce risk, eliminate manual effort, and modernize infrastructure faster.

Read more
Three armored figures walking toward a futuristic Las Vegas skyline with pyramids, glowing orb, and "Welcome to Fabulous Las
Blog

Your journey to intelligent NetOps begins at Cisco Live

Visit BlueCat’s booth or book a meeting now to learn more about how our solutions can help you build a network that supports constant change.

Read more
Stacked colorful wooden directional arrows on a post by a calm seaside with distant hills and blue sky
Blog

Replace BIND and ISC with Micetro DNS/DHCP Server (MDDS)

Tired of patching and manually configuring BIND DNS and ISC DHCP? Discover how Micetro MDDS appliances can replace them for modern DDI.

Read more