While Face ID was hacked at the Black Hat Conference, the Plausibility of it occurring could only be found in a bad B-Movie
The Black Hat 2019 Conference ran from August 3-8 and we reported earlier this week that Microsoft and Apple Leveled up their Hacker Bug Bounties. Yesterday Forbes posted a report titled "Black Hat USA 2019: Apple iOS New Flaws Let Hackers Break Into All iPhones." The report pointed out that "the Google team exploited the iOS vulnerabilities to hack and take control of an iPhone by just sending text messages."
A report by Threatpost from the conference described how hackers could beat Face ID in a scenario that only applies in a spy novel or implausible Hollywood movie. Certainly it's an unlikely scenario for 99.99% of iPhone users. The hack involves placing modified glasses on an unconsciousness person.
Threatpost reports that "Researchers on Wednesday during Black Hat USA 2019 demonstrated an attack that allowed them to bypass a victim’s FaceID and log into their phone simply by putting a pair of modified glasses on their face. By merely placing tape carefully over the lenses of a pair glasses and placing them on the victim’s face the researchers demonstrated how they could bypass Apple’s FaceID in a specific scenario. The attack itself is difficult, given the bad actor would need to figure out how to put the glasses on an unconscious victim without waking them up.
To launch the attack, researchers with Tencent tapped into a feature behind biometrics called 'liveness' detection, which is part of the biometric authentication process that sifts through “real” versus 'fake' features on people. It works by detecting background noise, response distortion or focus blur. One such biometrics tool that utilizes liveness detection is FaceID, which is designed and utilized by Apple for the iPhone and iPad Pro.
Researchers said during the Black Hat USA 2019 session, titled 'Biometric Authentication Under Threat: Liveness Detection Hacking' that "With the leakage of biometric data and the enhancement of AI fraud ability, liveness detection has become the Achilles’ heel of biometric authentication security as it is to verify if the biometric being captured is an actual measurement from the authorized live person who is present at the time of capture." For more on this, read the Threatpost report.
About Making Comments on our Site: Patently Apple reserves the right to post, dismiss or edit any comments. Those using abusive language or negative behavior will result in being blacklisted on Disqus.