At the Black Hat security conference today, researchers demonstrated a unique way to bypass Face ID authentication. The foundation of the bypass is a pair of glasses with tape on them, and the Attention Detection feature of Face ID.
Ecobee HomeKit Thermostat
As detailed by ThreatPost, one of the flaws of Face ID is that if you’re wearing glasses, the feature does not “extract 3D information from the eye area when it recognizes the glasses.” This vulnerability was discovered by researchers with Tencent.
To launch the attack, researchers with Tencent tapped into a feature behind biometrics called “liveness” detection, which is part of the biometric authentication process that sifts through “real” versus “fake” features on people. It works by detecting background noise, response distortion or focus blur.
Researchers specifically honed in on how liveness detection scans a user’s eyes. They discovered that the abstraction of the eye for liveness detection renders a black area (the eye) with a white point on it (the iris). And, they discovered that if a user is wearing glasses, the way that liveness detection scans the eyes changes.
Security researchers were able to tap into this weakness by taking a pair of glasses and placing black tape on the lenses and white tape inside the black tape. The researchers dubbed these glasses the “X-glasses,” Essentially, with these glasses on a victim, researchers can bypass the liveness detection feature of Face ID, and successfully gain access to someone’s iPhone.
In terms of mitigations, researchers suggested that biometrics manufacturers add identity authentication for native cameras and increase the weight of video and audio synthesis detection.
Of course, this is a rather difficult attack to perform. To unlock another person’s phone, you would seemingly need to figure out how to put glasses on them and ensure they were still enough for Face ID to work. As the researchers note, this would be most effective when the victim is unconscious.
Nonetheless, this is a very different attack than what other Face ID bypasses have highlighted. We’ve seen examples of cybersecurity experts beating Face ID with masks, while there are also some issues with twins and siblings.
Apple itself made several notable announcements at the Black Hat security conference today. The company is expanding its security bounty initiative with higher payouts, macOS support, and an iOS Security Research Device program.
still more work than putting someone’s finger on their touch id while they’re asleep
— ˗ˏˋeileen dover #BB21ˊˎ˗ (@ThrowTheComp) August 9, 2019