Facial Recognition Security Flaw: Printed Photos Unlock Majority of Popular Phones
Facial recognition technology is often marketed as a cutting-edge method to secure smartphones, but a startling investigation by consumer group Which? has uncovered a critical vulnerability. According to their research, approximately 60 per cent of popular mobile phones can be easily deceived using nothing more than a printed photograph. This security lapse affects devices from major brands such as Motorola, Nokia, Nothing, OnePlus, and Fairphone, raising alarms about the safety of personal data stored on these gadgets.
High-End Models Also at Risk
Even premium flagship smartphones, including the £1,099 Oppo Find X9 Pro, have been found susceptible to this spoofing technique. In tests, these devices mistakenly identified flat pieces of paper as genuine human faces, highlighting a widespread issue across the industry. Lisa Barber, Tech Editor at Which?, expressed disbelief at the findings, stating: 'In this age of cutting-edge technology, it almost seems unbelievable that phone cameras could be fooled by a printed photo – and yet they can be.'
Testing Reveals Alarming Trends
Which? conducted extensive testing on 208 phone models released since October 2022, revealing that 133 of them could be compromised with a simple photo. The problem appears to be worsening over time; in 2024, a staggering 72 per cent of tested phones failed to detect printout spoofs, a significant increase from 53 per cent in the previous year. Although the failure rate slightly decreased to 63 per cent in 2025, the majority of devices remain vulnerable to this basic hacking method.
Why 2D Systems Are Vulnerable
The root cause lies in the reliance on 2D facial recognition systems, which analyse flat images without depth perception. These systems cannot distinguish between a real face and a printed photograph, making them easy targets for thieves. In contrast, more advanced 3D mapping technologies, such as those used in the latest Google Pixel 8, Pixel 9, Pixel 10, Samsung Galaxy S26, and Apple's Face ID, project thousands of invisible dots to create a detailed depth map, effectively preventing spoofing attempts.
List of Affected Devices
Among the phones identified as vulnerable are:
- Fairphone 6
- Honor Magic6 Lite 5G
- Motorola Moto G75 5G
- Motorola Edge 60 Pro
- Nothing Phone (2a) Plus
- OnePlus 13R
- OnePlus Nord 3 5G
This list includes multiple models from Motorola, Nothing, and OnePlus, with many devices lacking adequate warnings about the security risks during setup.
Manufacturers' Responses and Warnings
Which? has criticised manufacturers for failing to provide clear, prominent notifications about the limitations of facial recognition. An adequate warning, as defined by the consumer group, should be displayed during the security setup process, explicitly cautioning users that their phone could be bypassed by a 2D photo. However, many brands, including Motorola and OnePlus, have released numerous vulnerable devices without such alerts. A Motorola spokesperson emphasised that face unlock is intended for convenience and recommended using a PIN, password, or pattern for enhanced security. OnePlus pointed to its mandatory 'Statement on Using Face Recognition,' while Nothing did not respond to requests for comment.
Positive Steps and Recommendations
Despite the widespread issues, some brands have made improvements. Xiaomi, for instance, has flagged security risks on 26 vulnerable handsets, and Samsung provides upfront warnings on nine of its devices. To mitigate risks, Which? urges users of affected phones to avoid relying solely on facial recognition. Instead, they should switch to more secure methods such as fingerprints or PINs. Additionally, enabling 'app lock' features for sensitive applications like banking or email can add an extra layer of protection. Consumers are also advised to steer clear of weak options like patterns, which can be easily observed by 'shoulder surfing' thieves.
Industry Standards and Future Concerns
The prevalence of 2D facial recognition systems, classified as Class 1 biometrics under Android's security framework, is a common industry standard. Fairphone and Honor have acknowledged that this technology is designed for convenience rather than high-security authorisation. However, with cyber threats on the rise, the need for robust security measures is more critical than ever. Which? maintains that it cannot endorse any phone that fails the spoofing test without adequate warning, regardless of other performance aspects. As technology evolves, consumers must stay informed and proactive in safeguarding their personal information against potential breaches.
