During the Black Hat 2019 conference, security researchers demonstrated an attack using which one could bypass Face ID. However, there’s a catch: it requires that the user of the iPhone/iPad is unconscious.
Researchers from Tencent took advantage of the “liveness” detection feature of Face ID which analyses the background noise, focus blur, and other aspects to ensure it is looking at a real person and not their 3D model or photo. One of the issue with Face ID is that it does not extract 3D information from the area around the eye if it detects that the user is wearing glasses.
The researchers took advantage of this very weakness to bypass Face ID. They created a glass prototype dubbed “X-glasses” which comprises of putting up black tape on the lenses and white tape inside the black tape.
Researchers specifically honed in on how liveness detection scans a user’s eyes. They discovered that the abstraction of the eye for liveness detection renders a black area (the eye) with a white point on it (the iris). And, they discovered that if a user is wearing glasses, the way that liveness detection scans the eyes changes.
It would be extremely challenging for anyone to pull this hack in real life to bypass Face ID. This is because it would first require that the owner of the iPhone is sleeping or unconscious. Then, they would have to place the glasses over the eyes of that person without waking them up. This is not a hack that can be easily pulled off by anyone. Nonetheless, Tencent researchers suggested that this issue can be resolved by using identity authentication and increasing the weight of audio and video synthesis detection.[Via ThreatPost]