Researchers have found a rather simplistic way to get around one of Face ID’s security features with nothing more than a pair of glasses with tape on the lenses, but while it’s an interesting evidence that no system is foolproof, whether users should actually be cocnerned is another matter entirely.
As reported by ThreatPost, researchers at this week’s Black Hat security conference in Las Vegas spoke on vulnerabilities in the authentication process use with various biometrics, demonstrating an attack on Face ID that allowed them to bypass the security feature and log into an iPhone by putting a pair of modified glasses on the face of an unconscious or sleeping victim.
Looking for Signs of Life
Researchers with Tencent were specifically analyzing the “liveness” detection algorithms of various facial recognition systems that are designed to distinguish between “real” versus “fake” features on people. While many systems work by detecting things like background noise, response distortion, or focus blur, Apple’s Face ID goes a step further by actually projecting an infrared contour map onto the user’s face, making it very difficult to deliberately fool with even a 3D mask, much less something as basic as a photograph.
However, Face ID also includes an “attention” feature that’s designed to make sure that you’re actually looking directly at your iPhone before it authenticates you. Among other things, this feature prevents somebody from simply holding your iPhone in front of your face while you’re sleeping or otherwise unconscious.
Face ID and Glasses
At a most basic level, attention detection with Face ID works by analyzing the user’s eyes to see if they’re actually looking at the iPhone, by analyzing the user’s irises and pupils. While this is normally included as part of the same 3D depth map as the rest of the face, the Tencent researchers note that the algorithm changes when Face ID detects that the user is wearing glasses.
According to the team, since Face ID needs to still work with glasses, but can’t reliably capture the 3D facial information underneath, it falls back to a 2D scan of that area. This allowed researchers to create a very simple prototype of “X-glasses” with a piece of black and white tape on the lenses that simulate where a user’s eyes would be.
The trick allowed researchers to unlock an unconscious victim’s iPhone and, as a further proof of how serious it could be, transfer money from one of the victim’s accounts through a mobile payment app.
Should You Be Worried?
The most important thing to keep in mind about this security exploit is that it still requires you — or at least your face — to be physically present for your iPhone to be unlocked. All that the “X-glasses” provide is the ability to unlock the iPhone when you’re sleeping or otherwise unconscious.
Unless you have a habit of falling asleep in public places, in most cases this means that you’d only be vulnerable to a friend or family member, and you’d have to be a heavy enough sleeper to not wake up when somebody tries to put a pair of glasses on your face.
At the other extreme, however, we could see this technique being used by law enforcement and emergency services workers in scenarios where an iPhone user is found unconscious, such as at the scene of an accident. This could be a good or bad thing, depending on the circumstances and your stance on privacy. While it could allow paramedics to access important medical or emergency contact information that’s not otherwise available through your Medical ID, it could also be used by law enforcement to gather evidence at a crime scene.
It’s also worth adding that the “attention” feature isn’t even mandatory. While it’s on by default, it’s possible for a user to manually disable it in the iPhone security settings, in which case this particular exploit is irrelevant as Face ID won’t care about whether your eyes are even open in the first place, much less whether you’re looking at your iPhone. While in our opinion it’s always better to leave this feature on, there are legitimate cases where switching it off will make your life easier, such as if you frequently wear sunglasses that block Face ID, or just want it to authenticate you more quickly. As always, there are tradeoffs between convenience and security.
The team of researchers who highlighted the exploit have already suggested a few possible mitigations, but it also seems likely that Apple will employ some of its own techniques to address this in future iOS and TrueDepth camera updates, likely by improving its machine-learning algorithms to more accurately discern between an actual eyeball and a piece of tape on the front of a pair of glasses.