Clearly there are different stories for biometrics. Face ID works very well for me, as did Touch ID. My wife could never get Touch ID to work, but face id works flawlessly for her.
Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Researchers Demonstrated Method for Bypassing Face ID on an 'Unconscious' Victim's iPhone Using Glasses and Tape
- Thread starter MacRumors
- Start date
- Sort by reaction score
And this just in. When someone threatens to break your arm, you most often give up your 6 digit security code. Which means anything that uses a security code is not secure. OK folks...NOTHING is 100% secure all-the-time. But I will keep an eye out for people stealing my phone and then asking me to wear blacked-out glasses while looking at my phone.
They might as well say: "If you kidnapp your victim, bound them and force them to unlock their phone you can bypass Apple's security system".
Thing is, biometrics work after you are dead and this research just shows that. Passwords are the only thing that stops working once you are room temperature.
Aside: I am puzzled why touchid is even mentioned in comments here. The original article does not seem to claim anything about it at all.
Yes indeed. "These people" want to highlight security loopholes, so that they get covered up. History has a long record of companies attempting to ignore such issues and hoping they'll go away.
This would likely work equally well on unconscious or dead people. I'm guessing the guys involved didn't mention it because they didn't have someone in either state to test it. Plenty of people have been mugged, knocked unconscious or killed for less.
Yes, this has nothing to do with "research". Cui bono (not just these "hats" or criminals...)...
Biometric systems always are limited somehow. That is in principle the main disadvantage of this technology. Therefore BlackHats do not "force" companys to improve. They just stimulate criminal minds.
Last edited:
There are already people apologising for how this can be bypassed, including the article. If someone wanted to get into your phone through nefarious methods, then either TouchID or FaceID is the weakest point in the system. So many people in recent years have gave Samsung et al a hard time for how "easy" their security can be bypassed, but at the end of the day, the only thing that will really keep your phone secure from crooks or law enforcement is a decent alphanumerical password. Law enforcement have the power to force you to unlock using your fingertip or your face, not your password.
In the time it takes for FaceID to fail, then give you the keypad to put in your password, you could easily have typed in a 10 character alphanumerical password that is every bit as strong.
For example, the basic password that I use for most of my accounts that I don't care about is 10 characters inc upper, lower, numbers and special. I have typed it in so many times over the last 10 years that it is pure muscle memory at this point, and can be typed in less than 2 seconds.
To crack it using brute force @ 100,000,000,000 attempts per second, it would take 23 years to crack. On an iPhone where even people like Cellebrite will be looking at the very most, a few thousand attempts a second, it would take literally MILLIONS OF YEARS to crack.
In the time it takes for FaceID to fail, then give you the keypad to put in your password, you could easily have typed in a 10 character alphanumerical password that is every bit as strong.
For example, the basic password that I use for most of my accounts that I don't care about is 10 characters inc upper, lower, numbers and special. I have typed it in so many times over the last 10 years that it is pure muscle memory at this point, and can be typed in less than 2 seconds.
To crack it using brute force @ 100,000,000,000 attempts per second, it would take 23 years to crack. On an iPhone where even people like Cellebrite will be looking at the very most, a few thousand attempts a second, it would take literally MILLIONS OF YEARS to crack.
WOW...i bet you can bypass touchID or faceID or anything else if you put a gun into his face and ask for unlocked phone...HOW DO YOU SOLVE THAT....Jesus Christ..i mean its ok to find something like that, but to be a big news,or big threat is childish
Grab victim. Break a finger. Repeat if necessary. Get all the info you ever want. This is how it has always worked and --will-- always work.
[doublepost=1565344094][/doublepost]
Okay, you beat me to it.
Interetsting. I always wondered if this attention awareness has any value at all. My phone is usually mounted next to the steering wheel at the dashboard and I unlock it by leaning a bit forward without looking at it as i have to pay attention to traffic. It unlocks without problems although I never look at it directly and I have attention awareness activated.
This hack explains that. I wear glasses and it seems FaceID simply ignores where I'm looking at.
This hack explains that. I wear glasses and it seems FaceID simply ignores where I'm looking at.
beats the hassle of picking the phone,looking at it at a ceratin distance to work a million times when counscious / awake.
I don't think the thought of this is for sleeping people as opposed to unconscious....as in drop something in your drink and once you're out steal your ****.
And if I fly to the moon, loop around Saturn, it'll shoot me straight to Pluto.. it's just that easy!
And with neither, you just take that sleeping/unconscious person, drag them to a van with darkened windows, and then you beat them until you have the passcode. So this is nothing that couldn't be done anyway. Nothing to see here.
[doublepost=1565353869][/doublepost]
Of course this works only once. The next time you want to unlock you don't have the face, you need the passcode. There is no way to lengthen the time that the phone will stay active without passcode, and there is no way to change the recognised face without passcode.
[doublepost=1565353923][/doublepost]
As I said, if the victim is kidnapped, you can get their passcode.
If you are that important person, use password.
[doublepost=1565354063][/doublepost]
Are you sure about iris scan? Afaik banks use it for secure rooms.
Because there's a camp of people against the idea of Face ID, that prefer Touch ID, claiming it is more secure.
[doublepost=1565354332][/doublepost]There are rumors that an upcoming version of iPhone will have Face ID *and* Touch ID embedded in the screen. If true, and it likely is, then Apple will sell that as being the "most secure method" by using both at the same time. And nobody could argue against that.
I wonder if these will work?
Just use these stickers to put on the sleeping person's eyelids
https://www.amazon.com/Roylco-R3338...=2025&creative=165953&creativeASIN=B0017OAPBM
Just use these stickers to put on the sleeping person's eyelids
https://www.amazon.com/Roylco-R3338...=2025&creative=165953&creativeASIN=B0017OAPBM
As an Amazon Associate, MacRumors earns a commission from qualifying purchases made through links in this post.
My only takeaway from this story is that these glasses will be sold to law enforcement to unlock phones without the owner's consent. I don't think they come across too many sleeping people but they do come across injured and unconscious people all the time that would not wake up.
This is hilarious. If this is the best they can do, then I’m even more impressed with FaceID.