Black Hat Security Researchers Bypass Face ID Using Glasses and Tape

Security researchers have found a way to hack into your iPhone using a pair of glasses with tape on the lenses.

That’s according to a new report from iMore, which explains that, during the 2019 Black Hat conference, researchers from Tencent were able to fool the “liveness” detection in Apple’s biometrics, which is designed to distinguish peoples’ “real” features from “fake” features.

Researchers say liveness detection detects background noise and response distortion or focus blur, allowing it to ensure that a face is a real face and not a mask. This procedure is used by Apple’s Face ID, and an “Attention Aware” feature ensures your iPhone doesn’t unlock unless you’re actually looking at it.

“With the leakage of biometric data and the enhancement of AI fraud ability, liveness detection has become the Achilles’ heel of biometric authentication security as it is to verify if the biometric being captured is an actual measurement from the authorized live person who is present at the time of capture,” the researchers said during the presentation.

Threatpost elaborates:

Researchers specifically honed in on how liveness detection scans a user’s eyes. They discovered that the abstraction of the eye for liveness detection renders a black area (the eye) with a white point on it (the iris). And, they discovered that if a user is wearing glasses, the way that liveness detection scans the eyes changes.

“After our research we found weak points in FaceID… it allows users to unlock while wearing glasses… if you are wearing glasses, it won’t extract 3D information from the eye area when it recognizes the glasses.”

Granted, that’s certainly a very specific set of somewhat strange circumstances, but it’s not a totally outlandish scenario. And now that this loophole has been uncovered, it’s also not crazy to think someone will come up with a much easier way to exploit it.

Rather than indicating a serious security problem, researchers say this proof of concept shows there’s room for improvement in Face ID. Clearly, a sleeping person would wake up when someone puts a pair of glasses on them.