- Researchers demonstrate that it’s possible to fool Apple’s Face ID, but it’s not easy.
- The victim will have to be sleeping, and a special pair of glasses will have to be put onto their face.
- The discovery demonstrates that there should be no unlocking without 3D scanning and iris confirmation.
Tencent researchers have demonstrated that it is possible to bypass Apple’s Face ID, unlocking an iPhone during Black Hat USA 2019 by using a special pair of glasses and tape on the lenses. Apple’s Face ID is considered to be one of the most secure biometrics locking systems, and compared to the implementations of other smartphone manufacturers, it performs way better and much more reliably. Researchers have tried to trick it again and again but failed, and last year, the FBI forced an iPhone X owner to unlock the device using his face.
The attack that was demonstrated during this year’s Black Hat isn’t exactly straightforward to conduct, as the hacker will need to interact with the potential victim first. In fact, the victim needs to be sleeping, and the attacker will have to put a pair of special glasses onto their face. This essentially bypasses the “liveness detection” measure that is supposed to tell real from fake face features. The researchers analyzed the way that the “liveness detection” works, and discovered that there’s a relatively simplistic abstraction rendering for the eye detection. This scanning method changes for when the user is wearing glasses, as the requirement for 3D information is taken out of the confirmation and unlocking process.
Obviously, Apple did that to enable people to unlock their phones while wearing glasses, but it looks like this is the weakest point in their face unlock system. Knowing that Tencent researchers created the special pair of glasses that they call “X-glasses”, using black tape on the lenses and white tape inside the black tape. As they demonstrated, this works perfectly so the attacker could unlock the device, authorize money transfers, steal sensitive personal data, impersonate their identity, and more.
To mitigate this risk, the researchers suggest that a significant increase of the weight of video and audio synthesis detection must be implemented, or the ability to unlock your device while wearing glasses much be taken out entirely. Right now, people may try to replicate the method in harmful ways as waiting for someone to fall asleep is much harder than beating them to the point of unconsciousness. We hope that Apple will respond to this discovery quickly, addressing it via an update so that iPhone and iPad Pro owners will stay out of harm’s way.