At the Black Hat security conference today, researchers demonstrated a unique way to bypass Face ID authentication. The foundation of the bypass is a pair of glasses with tape on them, and the Attention Detection feature of Face ID.
As detailed by ThreatPost, one of the flaws of Face ID is that if you’re wearing glasses, the feature does not “extract 3D information from the eye area when it recognizes the glasses.” This vulnerability was discovered by researchers with Tencent.
Security researchers were able to tap into this weakness by taking a pair of glasses and placing black tape on the lenses and white tape inside the black tape. The researchers dubbed these glasses the “X-glasses,” Essentially, with these glasses on a victim, researchers can bypass the liveness detection feature of Face ID, and successfully gain access to someone’s iPhone.
Researchers specifically honed in on how liveness detection scans a user’s eyes. They discovered that the abstraction of the eye for liveness detection renders a black area (the eye) with a white point on it (the iris). And, they discovered that if a user is wearing glasses, the way that liveness detection scans the eyes changes.
Of course, this is a rather difficult attack to perform. To unlock another person’s phone, you would seemingly need to figure out how to put glasses on them and ensure they were still enough for Face ID to work. As the researchers note, this would be most effective when the victim is unconscious.
Nonetheless, this is a very different attack than what other Face ID bypasses have highlighted. We’ve seen examples of cybersecurity experts beating Face ID with masks, while there are also some issues with twins and siblings.
Apple itself made several notable announcements at the Black Hat security conference today. The company is expanding its security bounty initiative with higher payouts, macOS support, and an iOS Security Research Device program.
still more work than putting someone’s finger on their touch id while they’re asleep
— ˗ˏˋeileen dover #BB21ˊˎ˗ (@ThrowTheComp) August 9, 2019