iOS 15 Includes Improved Face ID Anti-Spoofing Models and Other Vulnerability Fixes

[MacRumors]

The iOS 15 and iPadOS 15 updates that were released today add improved anti-spoofing models for Face ID, further improving the security of facial recognition on the iPhone X and later and the iPad Pro models.

According to Apple's security support document for the updates, there was a Face ID vulnerability that could allow a Face ID iPhone to be unlocked and authenticated using a 3D model constructed to look like the iPhone's owner.

Apple says that this issue has been resolved through improvements to the Face ID feature, which is available on the iPhone X, iPhone XR, iPhone XS (all models), iPhone 11 (all models), iPhone 12 (all models), iPad Pro (11-inch), and iPad Pro (3rd generation).

There are a number of other security fixes included in the iOS 15 update, but none of the exploits were listed as being used in the wild. There was an issue with the Neural Engine that could allow an application to execute arbitrary code with system privileges on devices with a Neural Engine, and a CoreML bug could let attackers cause unexpected application termination or arbitrary code execution.

Apple also addressed issues with FontParser, Preferences, Siri, WebKit, and WiFi, all of which are outlined in Apple's full security document.

For those not particularly interested in the feature set that iOS 15 offers, it may still be a good idea to upgrade just to get the full suite of security fixes that Apple has deployed.

Article Link: iOS 15 Includes Improved Face ID Anti-Spoofing Models and Other Vulnerability Fixes

 

[Apple_Robert]

Glad to see more security like this in iOS 15.

 

[DinkThifferent]

"For those not particularly interested in the feature set that iOS 15 offers, it may still be a good idea to upgrade just to get the full suite of security fixes that Apple has deployed."

So the whole 'we will continue to release security updates for iOS 14 users' was a lie.

 

[joeldonaldson]

14.8 release notes were updated with more documented fixes today. I haven't compared all of them, but there are fixes for Preferences and CoreML mentioned.

 

[subi257]

"For those not particularly interested in the feature set that iOS 15 offers, it may still be a good idea to upgrade just to get the full suite of security fixes that Apple has deployed."

So the whole 'we will continue to release security updates for iOS 14 users' was a lie.

They always continue to realize security updates...for years afterwards.

 

[Populus]

Improved Face iD. For once I thought facial recognition was improved wearing a facemask

 

[alexiaa]

So the whole 'we will continue to release security updates for iOS 14 users' was a lie.

No, it wasn't. They can still backport security fixes to iOS 14 but maybe they'll only get the ones that are deemed more critical.

 

[subi257]

No, it wasn't. They can still backport security fixes to iOS 14 but maybe they'll only get the ones that are deemed more critical.

I still get critical security updates for Mojave

 

[_Spinn_]

there was a Face ID vulnerability that could allow a Face ID iPhone to be unlocked and authenticated using a 3D model constructed to look like the iPhone's owner.

I wondered if something like this would work. Glad Apple is tightening Face ID security.

 

[Sodium Chloride]

Still, it doesn‘t change the fact that people can still open your phone by just pointing it to your face!

 

[alexiaa]

Still, it doesn‘t change the fact that people can still open your phone by just pointing it to your face!

Not true. That's exactly what "Require Attention for Face ID" is for, and it's on by default. You need to have your eyes open and actively looking at the screen. If you're looking away, it won't unlock. It's not totally impossible but makes it harder for people to pull that off. But if you're so concerned about that, you can temporarily disable Face ID by holding the power and volume down buttons for a few seconds.

 

[citysnaps]

"For those not particularly interested in the feature set that iOS 15 offers, it may still be a good idea to upgrade just to get the full suite of security fixes that Apple has deployed."

So the whole 'we will continue to release security updates for iOS 14 users' was a lie.

No, that's not true.



Seriously...why do you post stuff that's not true?

 

[citysnaps]

Still, it doesn‘t change the fact that people can still open your phone by just pointing it to your face!

I hear you bro. Sure wish people would stop doing that to me.

 

[Sir_Macs_A_Lot]

Scary to know that anyone could 'Mission Impossible' their way into my locked iPhone.

When is TouchID coming back again?

 

[EmotionalSnow]

Scary to know that anyone could 'Mission Impossible' their way into my locked iPhone.

When is TouchID coming back again?

If you think that that couldn't happen with Touch ID then you are delusional.

 

[szw-mapple fan]

Scary to know that anyone could 'Mission Impossible' their way into my locked iPhone.

When is TouchID coming back again?

Have you forgotten about all the finger print spoofing that was being demonstrated left and right back in the touchID days? Doing it on faceID is much harder, especially if you have attention turned on.

 

[kwokaaron]

If you think that that couldn't happen with Touch ID then you are delusional.

+1. I've probably read more books/movies about people lifting fingerprints from used glass cups.

 

[jz0309]

Scary to know that anyone could 'Mission Impossible' their way into my locked iPhone.

When is TouchID coming back again?

you rather have your finger cut off?

 

[tgwaste]

Yet still doesn't work in Landscape mode like iPad. 2.5 trillion dollar company.

 

[subi257]

So is this change an internal to the system upgrade or is it something that the user has to initiate?

 

[David8753Co]

you rather have your finger cut off?

I’ve Been hearing about this scenario for almost a decade now.

1. It’s a capacitive sensor. So even if someone cut off your finger and placed it on the phone it still wont unlock…needs electricity from your body
2. Unless the KGB or Jack Bauer is trying to get some info on your phone, this is an utterly absurd scenario. Stealing someone’s phone and cutting someone‘s finger off are on the complete opposite of the spectrum in terms of crime.

People who steal phones are looking to sell it to make money. They aren’t looking to go to prison on a mayhem assault charges for your ~$1,000 smartphone

Seriously, stop watching TV and trying to cast all criminals on the same level. People don’t just cut fingers off because they want to see your emails.

Try critical thinking

 

[centauratlas]

If anyone is that worried about Face ID or Touch ID access to their phone, the easy answer is to turn them off.

Just use a passcode - and don't make it 1234

Really though, Apple is doing a good job protecting with both Face and Touch ID. It is merely a question of your security needs/security profile required vs ease of access.

 

[xmach]

I still get critical security updates for Mojave

I don't think that's accurate. Apple last issued a security update for Mojave on July 21st. Since then, Apple has patched security holes in Catalina and Big Sur (just last week, on the 13th) but not in Mojave.

If you're still running Mojave, you have active/open/known security holes that unfortunately have not and almost certainly will not be addressed. For better and worse, to maintain a secure system, you have to upgrade to at least 10.15.

 

[Shirasaki]

For better and worse, to maintain a secure system, you have to upgrade to at least 10.15.

There are tons of valid reasons to not upgrade, especially for performance and usability, as well as the compatibility (32-bit permanent cutoff in Catalina). Apple should still maintain critical updates for as many systems as possible even if they have been discontinued.

 

[code-m]

If anyone is that worried about Face ID or Touch ID access to their phone, the easy answer is to turn them off.

Just use a passcode - and don't make it 1234

Really though, Apple is doing a good job protecting with both Face and Touch ID. It is merely a question of your security needs/security profile required vs ease of access.

I use 4, 8, 15, 16, 23 and 42. Will I be okay ?