In Black Hat USA 2019, security researchers demonstrated an attack that allowed them to bypass a victim’s FaceID and log into their phone simply by putting a pair of modified glasses on their face. Different vulnerabilities have been uncovered in the authentication process of biometrics technology that could allow bad actors to bypass various facial recognition applications – including iPhone’s FaceID.
Acording to Threatpost blog post report described how hackers could beat Face ID in a scenario that only applies in a spy novel or implausible Hollywood movie. Certainly it’s an unlikely scenario for 99.99% of iPhone users. The hack involves placing modified glasses on an unconsciousness person.
How to Bypass iPhone FaceId?
Security researchers discovered a flaw in the liveness detection function of the biometric authentication system that is used by Apple for unlocking an iPhone using FaceID.
- A pair of spectacles
- Some tape
- A sleeping or unconscious iPhone user
According to Forbs post, Researchers found that the FaceID liveness process wouldn’t extract full 3D data from the area around the eye if it recognizes the owner is wearing glasses. Instead, it looks for a black area for the eye with a white point upon it for the iris. So the researchers created a pair of spectacles with white tape covered by black tape in the center. A hole in the black tape was allowing the “white point” to be visible to FaceID. This is enough to fool FaceID and unlock the iPhone
But it’s also the last time you can use the word “simply” in connection with the hack. Sure, the researchers showed how they placed the “X-glasses” onto a “sleeping” victim, unlocked the iPhone and managed to transfer money using mobile payment. But you try and do that in the real world.
Security researchers said:
“Liveness detection has become the Achilles’ heel of biometric authentication security as it is to verify if the biometric being captured is an actual measurement from the authorized live person who is present at the time of capture.”
How to Mitigate This Vulnerability?
Researchers suggested that biometrics manufacturers add identity authentication for native cameras and increase the weight of video and audio synthesis detection.