Researchers Demonstrated Method for Bypassing Face ID on an 'Unconscious' Victim's iPhone Using Glasses and Tape

Discussion in ' News Discussion' started by MacRumors, Aug 8, 2019.

  1. MacRumors macrumors bot


    Apr 12, 2001

    During the Black Hat USA conference in Las Vegas, researchers demonstrated a Face ID bypass method that used glasses and tape to unlock and infiltrate the iPhone of an "unconscious" victim.

    According to a report from Threatpost (via iMore), researchers from Tencent aimed to fool the "liveness" detection feature in biometrics, which is meant to distinguish "real" from "fake" features on people.


    Liveness detection, said the researchers, detects background noise and response distortion or focus blur, allowing it to make sure that a face is a real face and not a mask. This liveness detection is used by Face ID, and Apple even has an "Attention Aware" feature that makes sure your iPhone doesn't unlock unless you're looking at it.

    To trick Face ID, the researchers created prototype glasses with black tape on the lenses and white tape inside the black tape to emulate the look of an eye. When putting the glasses over a sleeping victim's face, they were able to access his iPhone and send themselves money through a mobile payment app.

    This method worked because the researchers found that liveness detection works differently with glasses and essentially doesn't extract 3D information from the eye area when glasses are worn.
    An attacker attempting to use this method in the real world would need a victim that's sleeping or unconscious, access to that victim's iPhone, and then glasses would need to be placed over the eyes without waking the person up. It's worth noting that this isn't a situation most people are likely to run into, and there's also no secondary research on this alleged method this time.

    To mitigate the eye detection loophole in the future, researchers suggested biometrics manufacturers add identity authentication for native cameras and "increase the weight of video and audio synthesis detection."

    Apple has designed Face ID with easy access disabling measures for situations where a person might be coerced or forced into unlocking an iPhone with facial recognition. Pressing on the sleep/wake button of a Face ID-enabled iPhone five times in rapid succession brings up an emergency SOS screen that automatically disables Face ID and requires a passcode to be entered before Face ID works again. Pressing and holding the side/top button and a volume button also works on the iPhone and the iPad Pro.

    Article Link: Researchers Demonstrated Method for Bypassing Face ID on an 'Unconscious' Victim's iPhone Using Glasses and Tape
  2. Wilson1313 macrumors member

    Nov 29, 2008
    And with Touch ID, you just grab a sleeping/unconscious victim's finger and...
  3. farewelwilliams macrumors 68020

    Jun 18, 2014
    ok. how is this any less secure than TouchID?
  4. Relentless Power macrumors Penryn

    Relentless Power

    Jul 12, 2016
    Article quote:

    An attacker attempting to use this method in the real world would need a victim that's sleeping or unconscious, access to that victim's iPhone, and then glasses would need to be placed over the eyes without waking the person up.”

    Yeah, because this is a real easy to bypass the users Face using this method. :rolleyes:
  5. Kardinal1911 macrumors regular


    Jan 7, 2014
    I appreciate these findings because it challenges Apple and others to improve the security of devices as we move to biometrics. But I highly doubt someone could slap some glasses on my face and I not wake up... moreover if what’s in my phone is this important that you’d make a pair of Face ID cooling glasses. I doubt I’d be around you anyway
    --- Post Merged, Aug 8, 2019 ---
    Weekend at Bernie’s type crap lol
  6. keysofanxiety macrumors G3


    Nov 23, 2011
    This is a bit of a reach. I think for Face ID to be fooled by such a ridiculous circumstance just goes to show how hard they’ve tried to ‘break’ it — I highly doubt this was their first attempt or idea for how to circumvent it.

    It’s a far cry from a photograph fooling facial recognition.
  7. Unity451 macrumors 6502


    Aug 29, 2011
    That's why I always wear sunglasses when I sleep... Everybody thinks I'm awake and just unengaged with the world. No one can break THAT fortress of security!
  8. CLS727 macrumors regular


    Feb 5, 2018
    does touch ID still work if the person is dead? cold fingers, etc

    asking for a friend
  9. keysofanxiety macrumors G3


    Nov 23, 2011
    Sunglasses? You need to step up your game and get the always awake glasses. ;)

  10. JohnnieBBadde, Aug 8, 2019
    Last edited: Aug 8, 2019

    JohnnieBBadde macrumors member

    Dec 11, 2014
    I suggest the all-new biometric authentification feature Face PALM.

    First, a camera array is 3D-scanning your face, then you place one of your palms on your face so that magically amazing IR sensors can pick up the unique pattern of the veins in your hand.
  11. Naraxus macrumors 6502a


    Oct 13, 2016
    It should. All that's needed is the fingerprint
  12. sdf macrumors regular


    Jan 29, 2004
    My kid did this to me once!

    It was for something free, but still.
  13. D.T. macrumors G3


    Sep 15, 2011
    Vilano Beach, FL
    I used voodoo to turn a person into a zombie, and directed them to send me money ...

    *casts spell*

    "Send me $20!"

    "Uhhh ... yes master ..."

  14. Pafoofnik macrumors member


    Apr 14, 2014
    It was researchers that convinced Cook to go to Face ID to begin with. Hey, Tim, bring back Touch ID!!!
  15. konqerror macrumors 6502a

    Dec 31, 2013
  16. FightTheFuture macrumors 65816


    Oct 19, 2003
    that town east of ann arbor
    Yep. Police actually did this to a dead perp at a funeral once.
  17. JPack macrumors 601


    Mar 27, 2017
    In theory, ultrasonic fingerprint sensors are better for liveness detection because it scans the blood capillaries for blood flow. Touch ID is old technology that relies on capacitive properties.

    Again, in theory, facial detection would not detect a beaten up victim wearing X-glasses.
  18. Relentless Power macrumors Penryn

    Relentless Power

    Jul 12, 2016
    Yes. Touch ID incorporates a capacitive sensor, which reads dermal fingerprints, which doesn’t rely any type of body temperature for an accurate reading of the deceased person.
  19. Sedulous macrumors 68020


    Dec 10, 2002
    It does not work with the dead or severed.
  20. 69Mustang macrumors 604


    Jan 7, 2014
    In between a rock and a hard place
    Dollar store reading glasses and two squares of construction paper vs high tech security. And the winner is...

    sometimes the simplest solution is the best solution. This solution is damn simple.
  21. alpi123 macrumors 6502a


    Jun 18, 2014
    Face ID is still more secure than Touch ID... the work needed to bypass it is way more than just use the fingerprint of someone (you don't even have to touch them, if you align the phone to touch it directly)
  22. XXPP macrumors newbie

    Jun 30, 2019
    ok, I thought they really cheated Face iD. Move along...
  23. Boardiesboi macrumors 65816


    Sep 3, 2013
    Sydney Australia
    Reporting on this "research" is just giving these people the attention they want.

    How many people in real life would go into that much trouble to unlock someone else's phone? If I'm a victim and held in captivity, I'd willingly unlock my phone for you so you can drain the $500 I have in my bank account.
  24. coolfactor macrumors 601

    Jul 29, 2002
    Vancouver, BC CANADA
    You may have your wish with the next iPhone (in 2020).
  25. JohnApples macrumors 65816

    Mar 7, 2014
    This reminds me of the scenarios people came up with when FaceID was first announced:

    “A person could just grab my phone out of my hands, shove it in my face, then run away with it!”

    If the person was smart, they would wait until you unlocked it yourself before grabbing it, regardless of which security method you’re using.

    Plus you’re assuming that the person is able to grab the phone, wake the screen, make sure it’s at a correct distance, give it a second to scan your face, and verify that it unlocked all without you reacting in any way.

    This is an interesting bypass, and a good way to challenge Apple to improve FaceID imo. But the real-world practicality is very low.

Share This Page

177 August 8, 2019