Security researchers have broken Apple's FaceID biometric system once again. But there is an unusual caveat to this trick: To successfully unlock an iPhone, attackers must first make sure the victim is cold.
Tencent researchers demonstrated the exploitation vector of Black Hat USA 2019, reports Threatpost. The attack involves putting a pair of modified glasses on the victim's face. This, combined with carefully placing a piece of tape over the lenses of the glasses, makes it possible to bypass FaceID and log in to a victim's iPhone.
Of course, the exploitation is rather difficult to pull off considering that the attackers would need to figure out how to put the glasses on a victim without waking them up.
The attack utilizes a biometric feature called "liveliness" detection, designed to distinguish "false" versus "real" features in humans. The system mainly monitors background noise, focus distortion or blur in focus .
“With the leakage of biometric data and the improvement of AI scam, life detection has become Achilles' heel in biometric authentication security, as it is to verify whether the biometric being taken is an actual measurement from the authorized living person present at the time of capture, "the researchers said during the presentation.
So why do you need glasses to pull off the attack? Well, it turns out that FaceID scans the eyes differently when people wear glasses.
"We found weak points in FaceID," the researchers explain. "It allows users to unlock while wearing glasses […] if you wear glasses, it will not extract 3D information from the eye area when it recognizes the glasses. "Using this trick, researchers were able to unlock a victim for the phone and even transfer their funds through a mobile payments app.
Researchers have bypassed Apple's FaceID to unlock iP hones in the past
This is hardly the first time scientists have cracked FaceID.
Back in 201
Apple has previously boasted the chance of accidentally unlocking FaceID is one million, but there are anecdotal reports suggesting family members may have a greater chance of bypassing face recognition to unlock someone else's iPhone.
If anything, Tencent & # 39; s proof-of-concept continues to show that even Apple's security systems are not invincible.
For more equipment, gadget, and hardware news and reviews, follow Plugged in
Published August 9, 2019 – 9:43 UTC