Facial-recognition locks used by a company claiming to operate the world’s largest network of express delivery lockers have been hacked by a group of fourth-graders.

The primary schoolers from Jiaxing in eastern China’s Zhejiang province told local TV program Haoqi Shiyanshi, or Curious Labs, that their science club recently discovered facial-recognition locks used by Hive Box, a Chinese smart locker company, could be opened using only a printed photo of the intended recipient’s face, leaving the lockers’ contents vulnerable to theft.

The episode’s host tests the security flaw himself and is able to replicate the kids’ findings with a nearly perfect success rate. Only when a photo wasn’t held steadily did the camera not recognize the face and open the locker. After airing Tuesday, the episode received wide attention online, prompting Hive Box to issue a statement the next day explaining that its facial-recognition feature was still in beta testing and had been suspended following the revelation of the bug.

Shenzhen-headquartered Hive Box has installed self-service pickup and drop-off stations across China in an effort to facilitate deliveries for the country’s booming logistics industry. Though a relative latecomer to smart lockers, which first emerged in China in 2012, Hive Box has outmuscled its domestic competitors and now claims to be the “world’s largest parcel machine operation company.”

Last year, 200 million people in over 100 Chinese cities retrieved 2.5 billion packages from Hive Box smart lockers, the company said, accounting for around 5% of the country’s total parcel deliveries that year. In July, Hive Box’s chief marketing officer, Li Wenqing, said the company is eyeing an initial public offering in the near future.

In response to the government’s call to turn China into a mighty nation powered by artificial intelligence, big data, and the internet of things, people and companies are increasingly embracing smart technologies aimed at making daily life more convenient. But the wide adoption and sometimes poor implementation of facial recognition in particular have given rise to privacy and security concerns.

In January, the State Administration for Market Regulation found that 15% of leading smart locks using facial-recognition technology could be opened using photographs. In March, a Sixth Tone investigation found that facial-recognition cameras were being installed in classrooms to monitor students, often without their parents’ knowledge or consent. And in September, a Chinese deepfake app called Zao that swapped users’ faces into famous scenes from movies and TV series came under fire over its collection of user data, including photos. Scrutiny of the app even prompted mobile payment giant Alipay to assure users that its “Smile to Pay” facial-recognition system could not be hacked using deepfakes.

In a previous interview, Wang Shengjin, a professor of electronic engineering at Tsinghua University, told Sixth Tone that, while some facial-recognition systems that rely on 2D mapping technology are more vulnerable and can easily be hacked using photos, the public shouldn’t worry about facial-recognition mobile payment systems — including Alipay, WeChat Pay, and Apple Pay — because their use of 3D mapping, in combination with infrared illumination and two-step verification, makes them much more secure.

Editor: David Paulk.

(Header image: A man picks up a package from a Hive Box station in Beijing, July 29, 2019. VCG)