Premium mobile phones can be unlocked using a photograph of the owner, research has shown.
Top-of-the-range devices from Samsung, Motorola and Oppo had their facial recognition security feature easily spoofed, Which? said.
A total of 133 models were tricked by the consumer group into opening with a 2D picture, including the Samsung Galaxy S25 (£800), Oppo Find X9 Pro (£1,099), Motorola Razr 50 Ultra (£999) and Oppo Find X9 (£899).
Other models from Asus, Fairphone, Honor, HMD, Nokia, Nothing, OnePlus, Realme, Vivo and Xiaomi also failed the test. All were Android devices. Apple’s Face ID remained secure.
The three newest Google Pixel models and Samsung Galaxy S26 series were not spoofed by a photo.
Basic 2D face-check systems work by using the front camera to take a picture and comparing it with the image saved on set-up. If it is similar enough, the phone unlocks. Apple, Google and some Android phone makers use a 3D face-check system that maps the shape of your face by projecting thousands of invisible dots on to it to measure the depth, contours and structure. That makes it harder to spoof using a photo.
Some phones using 2D technology warn users about the weakness of the system. However, Motorola, OnePlus and Nothing were highlighted for failing to do so. Which? said warnings should be prominent during the set-up process rather than “buried” in terms and conditions or another link.
The group said Motorola had released 27 phones since 2022 that could be unlocked with a 2D photo or by someone resembling the owner.
Lisa Barber, tech editor at Which?, said: “It almost seems unbelievable that phone cameras could be fooled by a printed photo — and yet they can be.”
Which? recommends switching to a fingerprint or six-digit PIN if there is a 2D unlocking system. A PIN can also be set for the Sim card, which prevents a thief taking it for another device to intercept security codes. Users can also set up an “app lock” to require a fingerprint to unlock sensitive apps such as messaging, email and banking.
Alan Goode, the chief executive of Goode Intelligence, a digital trust research company, said: “In an age of rampant smartphone theft, it is disappointing that so many Android devices offer face unlock solutions that are, in reality, merely a toy.”
Ben Wood, an analyst at FDM, the business and technology consultancy, said: “A good tip for users is that if the phone doesn’t let you use your face to authorise a payment, it probably indicates the photo authentication isn’t secure enough.”
Separately, an investigation by MIT Technology Review uncovered how software kits were being sold on Telegram to bypass security checks on banking and cryptocurrency apps. The kits bypass the phone’s camera, which is used for a “liveness” check, and use a virtual camera to present a fake video or photo to access the app.
In relation to the Which? study, Fairphone said it used a “widely adopted industry standard utilised by many leading smartphone brands”, which “inherently shares the same limitations”.
Honor said it viewed the 2D system as “a tool for convenience rather than for authorising sensitive transactions”. Motorola said it “recommends that consumers use a PIN, password or pattern for enhanced security”. OnePlus said it was transparent about the risks of the system. All other companies tested were approached for comment.
Leave a comment