At the Black Hat Security Conference today, researchers demonstrated a unique way to bypass Face ID authentication. The basis for the bypass is a pair of glasses with tape on, and the Attention Detection feature in Face ID.
Sylvania HomeKit Light Strip
As detailed by ThreatPost one of the errors in Face ID is that if you wear glasses, "the feature does not extract 3D information from the eye area when it recognizes the glasses." This vulnerability was discovered by researchers with Tencent.
To start the attack, researchers with Tencent used a feature behind biometrics called "liveliness" detection, which is part of the biometric authentication process that goes through "real" versus "fake" features on humans. It works by detecting background noise, response distortion or blur in focus.
Researchers have especially appreciated how liveliness detection scans the user's eyes. They discovered that abstraction of the eye for the detection of vividness makes a black area (eye) with a white dot on (iris). And they discovered that if a user wears glasses, the way that liveliness detection scans their eyes changes.
Security researchers managed to take advantage of this weakness by taking a pair of glasses and placing black tape on the lenses and white tape. inside black tape. The researchers called these glasses "X glasses". Essentially, with these glasses on a victim, researchers can bypass the Face ID feature of Life ID and successfully access someone's iPhone.
In terms of mitigations, researchers suggested that biometric manufacturers add identity verification for native cameras and increase the weight of video and audio synthesis detection.
Of course, this is a pretty difficult attack to perform. To unlock another person's phone, you apparently need to figure out how to put glasses on them and make sure they were still enough for Face ID to work. As the researchers note, this will be most effective when the victim is unconscious.
Nevertheless, this is a very different attack than what other Face ID bypasses have highlighted. We have seen examples of cybersecurity experts who hit Face ID with masks, while there are also some problems with twins and siblings.
Apple itself made several notable announcements at the Black Hat security conference today. The company is expanding its security capability initiative with higher payouts, macOS support and an iOS Security Research Device program.
even more work than putting your finger on their touch ID while sleeping
– ileeileen dover # BB21ˊˎ˗ (@ThrowTheComp) August 9, 2019
Subscribe to 9to5Mac on YouTube for more Apple News: