Tencent Researchers, presenting at the 2019 Black Hat security conference, demonstrated a sly way to bypass the iPhone’s Face ID user authentication in less than 120 seconds, according to a report from iMore.
In order to accomplish the bypass, the researchers required a pair of glasses, tape and a sleeping or unconscious iPhone user. Apparently, when a user wears glasses, Face ID does not “extract 3D information from the eye area when it recognizes the glasses.”
This has been documented as one of the security feature’s flaws, according to a report from Threatpost.
Researchers exploited the system’s “liveness” feature, which detects whether the person trying to unlock the device is looking at the phone or is not.
“Researchers specifically honed in on how liveness detection scans a user’s eyes. They discovered that the abstraction of the eye for liveness detection renders a black area (the eye) with a white point (the iris). And, they discovered that if a user is wearing glasses, the way that liveness detection scans the eye changes,” Threatpost detailed.
After creating the modified glasses using black and white tape, the researchers went on to show how easy it would be to transfer money through mobile payments after authenticating with Face ID.
“With the leakage of biometric data and the enhancement of AI fraud ability, liveness detection has become the Achilles’ heel of biometric authentication security,” researchers pointed out during the conference.
But despite the simplicity of creating the bypass frames, not everyone will be able to pull off the hack.
“It comes with challenges. You don’t want to wake up a sleeping victim and 3D systems are difficult to forge,” explained Zhuo Ma, who represents Tencent Security.
— MacRumors.com (@MacRumors) August 8, 2019
Apple previously said that Face ID was created to protect against spoofing using masks, disguises and other techniques. This was done by using anti-spoofing neural networks.
The company also noted that its attention-aware feature was designed to add an additional layer of security for those looking to make sure their device was protected, according to support notes posted to the Apple site.
After the discovery of this Face ID flaw, it’s not difficult to see why Apple might be considering bringing back Touch ID for its future iPhones, as previously reported by The Inquisitr.
Earlier this year, the iPhone maker was granted a patent for an updated version of Touch ID. This version would be placed under the phone’s display by installing an array of pinhole cameras. This aspect would enable users to unlock their devices from any part of the device’s screen, as opposed to being restricted to a single area.
The updated version of Touch ID is expected to come as part of Apple’s 2020 or 2021 iPhones. However, the company is currently preparing to announce its 2019 iPhone 11 and iPhone 11 Max during its upcoming September event.