Skip to main content

Security researchers demonstrate how to bypass Face ID with glasses and tape

Avatar for Chance Miller  | Aug 8 2019 - 5:37 pm PT
0 Comments

At the Black Hat security conference today, researchers demonstrated a unique way to bypass Face ID authentication. The foundation of the bypass is a pair of glasses with tape on them, and the Attention Detection feature of Face ID.

As detailed by ThreatPost, one of the flaws of Face ID is that if you’re wearing glasses, the feature does not “extract 3D information from the eye area when it recognizes the glasses.” This vulnerability was discovered by researchers with Tencent.

To launch the attack, researchers with Tencent tapped into a feature behind biometrics called “liveness” detection, which is part of the biometric authentication process that sifts through “real” versus “fake” features on people. It works by detecting background noise, response distortion or focus blur.

Researchers specifically honed in on how liveness detection scans a user’s eyes. They discovered that the abstraction of the eye for liveness detection renders a black area (the eye) with a white point on it (the iris). And, they discovered that if a user is wearing glasses, the way that liveness detection scans the eyes changes.

Security researchers were able to tap into this weakness by taking a pair of glasses and placing black tape on the lenses and white tape inside the black tape. The researchers dubbed these glasses the “X-glasses,” Essentially, with these glasses on a victim, researchers can bypass the liveness detection feature of Face ID, and successfully gain access to someone’s iPhone.

In terms of mitigations, researchers suggested that biometrics manufacturers add identity authentication for native cameras and increase the weight of video and audio synthesis detection.

Of course, this is a rather difficult attack to perform. To unlock another person’s phone, you would seemingly need to figure out how to put glasses on them and ensure they were still enough for Face ID to work. As the researchers note, this would be most effective when the victim is unconscious.

Nonetheless, this is a very different attack than what other Face ID bypasses have highlighted. We’ve seen examples of cybersecurity experts beating Face ID with masks, while there are also some issues with twins and siblings.

Apple itself made several notable announcements at the Black Hat security conference today. The company is expanding its security bounty initiative with higher payouts, macOS support, and an iOS Security Research Device program.

https://twitter.com/ThrowTheComp/status/1159625725856690176

Add 9to5Mac to your Google News feed. 

FTC: We use income earning auto affiliate links. More.

You’re reading 9to5Mac — experts who break news about Apple and its surrounding ecosystem, day after day. Be sure to check out our homepage for all the latest news, and follow 9to5Mac on Twitter, Facebook, and LinkedIn to stay in the loop. Don’t know where to start? Check out our exclusive stories, reviews, how-tos, and subscribe to our YouTube channel

Check out 9to5Mac on YouTube for more Apple news:

Subscribe to 9to5Mac on YouTube for more Apple news:

Comments

Guides

iPhone

iPhone

Introduced in 2007 by Steve Jobs, iPhone is Appl…
Security

Security
Face ID

Author

Avatar for Chance Miller Chance Miller

Chance is an editor for the entire 9to5 network and covers the latest Apple news for 9to5Mac.

Tips, questions, typos to chance@9to5mac.com

Manage push notifications

notification icon
We would like to show you notifications for the latest news and updates.
notification icon
Please wait...processing
notification icon
We would like to show you notifications for the latest news and updates.
notification icon
Please wait...processing