Researchers Demonstrated Method for Bypassing Face ID on an 'Unconscious' Victim's iPhone Using Glasses and Tape

Discussion in 'MacRumors.com News Discussion' started by MacRumors, Aug 8, 2019.

  1. MacRumors macrumors bot

    MacRumors

    Joined:
    Apr 12, 2001
    #1
    [​IMG]


    During the Black Hat USA conference in Las Vegas, researchers demonstrated a Face ID bypass method that used glasses and tape to unlock and infiltrate the iPhone of an "unconscious" victim.

    According to a report from Threatpost (via iMore), researchers from Tencent aimed to fool the "liveness" detection feature in biometrics, which is meant to distinguish "real" from "fake" features on people.

    [​IMG]

    Liveness detection, said the researchers, detects background noise and response distortion or focus blur, allowing it to make sure that a face is a real face and not a mask. This liveness detection is used by Face ID, and Apple even has an "Attention Aware" feature that makes sure your iPhone doesn't unlock unless you're looking at it.

    To trick Face ID, the researchers created prototype glasses with black tape on the lenses and white tape inside the black tape to emulate the look of an eye. When putting the glasses over a sleeping victim's face, they were able to access his iPhone and send themselves money through a mobile payment app.

    This method worked because the researchers found that liveness detection works differently with glasses and essentially doesn't extract 3D information from the eye area when glasses are worn.
    An attacker attempting to use this method in the real world would need a victim that's sleeping or unconscious, access to that victim's iPhone, and then glasses would need to be placed over the eyes without waking the person up. It's worth noting that this isn't a situation most people are likely to run into, and there's also no secondary research on this alleged method this time.

    To mitigate the eye detection loophole in the future, researchers suggested biometrics manufacturers add identity authentication for native cameras and "increase the weight of video and audio synthesis detection."

    Apple has designed Face ID with easy access disabling measures for situations where a person might be coerced or forced into unlocking an iPhone with facial recognition. Pressing on the sleep/wake button of a Face ID-enabled iPhone five times in rapid succession brings up an emergency SOS screen that automatically disables Face ID and requires a passcode to be entered before Face ID works again. Pressing and holding the side/top button and a volume button also works on the iPhone and the iPad Pro.

    Article Link: Researchers Demonstrated Method for Bypassing Face ID on an 'Unconscious' Victim's iPhone Using Glasses and Tape
     
  2. Wilson1313 macrumors member

    Joined:
    Nov 29, 2008
    #2
    And with Touch ID, you just grab a sleeping/unconscious victim's finger and...
     
  3. farewelwilliams macrumors 68020

    Joined:
    Jun 18, 2014
    #3
    ok. how is this any less secure than TouchID?
     
  4. Relentless Power macrumors Penryn

    Relentless Power

    Joined:
    Jul 12, 2016
    #4
    Article quote:

    An attacker attempting to use this method in the real world would need a victim that's sleeping or unconscious, access to that victim's iPhone, and then glasses would need to be placed over the eyes without waking the person up.”

    Yeah, because this is a real easy to bypass the users Face using this method. :rolleyes:
     
  5. Kardinal1911 macrumors regular

    Kardinal1911

    Joined:
    Jan 7, 2014
    Location:
    Houston
    #5
    I appreciate these findings because it challenges Apple and others to improve the security of devices as we move to biometrics. But I highly doubt someone could slap some glasses on my face and I not wake up... moreover if what’s in my phone is this important that you’d make a pair of Face ID cooling glasses. I doubt I’d be around you anyway
    --- Post Merged, Aug 8, 2019 ---
    Weekend at Bernie’s type crap lol
     
  6. keysofanxiety macrumors G3

    keysofanxiety

    Joined:
    Nov 23, 2011
    #6
    This is a bit of a reach. I think for Face ID to be fooled by such a ridiculous circumstance just goes to show how hard they’ve tried to ‘break’ it — I highly doubt this was their first attempt or idea for how to circumvent it.

    It’s a far cry from a photograph fooling facial recognition.
     
  7. Unity451 macrumors 6502

    Unity451

    Joined:
    Aug 29, 2011
    Location:
    California
    #7
    That's why I always wear sunglasses when I sleep... Everybody thinks I'm awake and just unengaged with the world. No one can break THAT fortress of security!
     
  8. CLS727 macrumors regular

    CLS727

    Joined:
    Feb 5, 2018
    #8
    does touch ID still work if the person is dead? cold fingers, etc

    asking for a friend
     
  9. keysofanxiety macrumors G3

    keysofanxiety

    Joined:
    Nov 23, 2011
    #9
    Sunglasses? You need to step up your game and get the always awake glasses. ;)

    [​IMG]
     
  10. JohnnieBBadde, Aug 8, 2019
    Last edited: Aug 8, 2019

    JohnnieBBadde macrumors member

    Joined:
    Dec 11, 2014
    #10
    I suggest the all-new biometric authentification feature Face PALM.

    First, a camera array is 3D-scanning your face, then you place one of your palms on your face so that magically amazing IR sensors can pick up the unique pattern of the veins in your hand.

    http://www.reactiongifs.com/r/facepalm.gif
     
  11. Naraxus macrumors 6502a

    Naraxus

    Joined:
    Oct 13, 2016
    #11
    It should. All that's needed is the fingerprint
     
  12. sdf macrumors regular

    sdf

    Joined:
    Jan 29, 2004
    #12
    My kid did this to me once!

    It was for something free, but still.
     
  13. D.T. macrumors G3

    D.T.

    Joined:
    Sep 15, 2011
    Location:
    Vilano Beach, FL
    #13
    I used voodoo to turn a person into a zombie, and directed them to send me money ...

    *casts spell*

    "Send me $20!"

    "Uhhh ... yes master ..."

    *profit*
     
  14. Pafoofnik macrumors member

    Pafoofnik

    Joined:
    Apr 14, 2014
    #14
    It was researchers that convinced Cook to go to Face ID to begin with. Hey, Tim, bring back Touch ID!!!
     
  15. konqerror macrumors 6502a

    Joined:
    Dec 31, 2013
    #15
  16. FightTheFuture macrumors 65816

    FightTheFuture

    Joined:
    Oct 19, 2003
    Location:
    that town east of ann arbor
    #16
    Yep. Police actually did this to a dead perp at a funeral once.
     
  17. JPack macrumors 601

    JPack

    Joined:
    Mar 27, 2017
    #17
    In theory, ultrasonic fingerprint sensors are better for liveness detection because it scans the blood capillaries for blood flow. Touch ID is old technology that relies on capacitive properties.

    Again, in theory, facial detection would not detect a beaten up victim wearing X-glasses.
     
  18. Relentless Power macrumors Penryn

    Relentless Power

    Joined:
    Jul 12, 2016
    #18
    Yes. Touch ID incorporates a capacitive sensor, which reads dermal fingerprints, which doesn’t rely any type of body temperature for an accurate reading of the deceased person.
     
  19. Sedulous macrumors 68020

    Sedulous

    Joined:
    Dec 10, 2002
    #19
    It does not work with the dead or severed.
     
  20. 69Mustang macrumors 604

    69Mustang

    Joined:
    Jan 7, 2014
    Location:
    In between a rock and a hard place
    #20
    Dollar store reading glasses and two squares of construction paper vs high tech security. And the winner is...

    sometimes the simplest solution is the best solution. This solution is damn simple.
     
  21. alpi123 macrumors 6502a

    alpi123

    Joined:
    Jun 18, 2014
    #21
    Face ID is still more secure than Touch ID... the work needed to bypass it is way more than just use the fingerprint of someone (you don't even have to touch them, if you align the phone to touch it directly)
     
  22. XXPP macrumors newbie

    Joined:
    Jun 30, 2019
    #22
    ok, I thought they really cheated Face iD. Move along...
     
  23. Boardiesboi macrumors 65816

    Boardiesboi

    Joined:
    Sep 3, 2013
    Location:
    Sydney Australia
    #23
    Reporting on this "research" is just giving these people the attention they want.

    How many people in real life would go into that much trouble to unlock someone else's phone? If I'm a victim and held in captivity, I'd willingly unlock my phone for you so you can drain the $500 I have in my bank account.
     
  24. coolfactor macrumors 601

    Joined:
    Jul 29, 2002
    Location:
    Vancouver, BC CANADA
    #24
    You may have your wish with the next iPhone (in 2020).
     
  25. JohnApples macrumors 65816

    Joined:
    Mar 7, 2014
    #25
    This reminds me of the scenarios people came up with when FaceID was first announced:

    “A person could just grab my phone out of my hands, shove it in my face, then run away with it!”

    If the person was smart, they would wait until you unlocked it yourself before grabbing it, regardless of which security method you’re using.

    Plus you’re assuming that the person is able to grab the phone, wake the screen, make sure it’s at a correct distance, give it a second to scan your face, and verify that it unlocked all without you reacting in any way.

    This is an interesting bypass, and a good way to challenge Apple to improve FaceID imo. But the real-world practicality is very low.
     

Share This Page

177 August 8, 2019