Tape and glasses are all you need to break Apple's FaceID - alongside a sleeping person

Apple has often boasted about the security bona fides of the 3D facial recognition it uses to allow people to unlock their iPhones - and, now, their iPad Pros - using just their face. However, researchers have found various ways of gaming the system, like using twins, family members or a contrived facial mask.

An interesting new workaround was shown off at the Black Hat USA 2019 conference this week, where a team of Tencent researchers showed off a way of tricking Face ID by using spectacles and a bit of tape. One other ingredient: a sleeping person.

Turns out, in order to allow people with spectacles to use Face ID without removing their eyewear, Face ID doesn't take 3D information around the eyes when it sees a user is wearing glasses. Using this weak point in Face ID's implementation, researchers showed how they could take a sleeping person, put on specially modified glasses and apply some tape on them to trick Face ID into unlocking the phone.

Of course, this is a more complex hack than most hackers would like, as it requires physical access to the sleeping person or the ability to forcibly make them unconscious. So, it remains to be seen how feasible it would be as a means of attack.

However, the larger point it highlights is biometric facial recognition's limitation when it comes to detecting 'liveness'. “With the leakage of biometric data and the enhancement of AI fraud ability, liveness detection has become the Achilles’ heel of biometric authentication security as it is to verify if the biometric being captured is an actual measurement from the authorized live person who is present at the time of capture,” said the researchers.

All this goes to show, that when it comes to security, while facial recognition or fingerprint sensors may be more convenient, they are still not as secure as a good password that can't be guessed or brute-forced easily.

Via: The Next Web

Report a problem with article
Next Article

Websites can still detect if you're using Incognito mode, despite Google's protections

Previous Article

Broadcom acquires Symantec enterprise security business for $10.7bn

26 Comments - Add comment