Bypassing Apple FaceID's Liveness Detection Feature

Apple's FaceID has a liveness detection feature, which prevents someone from unlocking a victim's phone by putting it in front of his face while he's sleeping. That feature has been hacked:

Researchers on Wednesday during Black Hat USA 2019 demonstrated an attack that allowed them to bypass a victim's FaceID and log into their phone simply by putting a pair of modified glasses on their face. By merely placing tape carefully over the lenses of a pair glasses and placing them on the victim's face the researchers demonstrated how they could bypass Apple's FaceID in a specific scenario. The attack itself is difficult, given the bad actor would need to figure out how to put the glasses on an unconscious victim without waking them up.

Posted on August 15, 2019 at 6:19 AM • 24 Comments

Comments

AlejandroAugust 15, 2019 6:53 AM

Basically, all biometrics can be beat given time and a little ingenuity.

There are some special sunglasses out now that reflect IR light back to facial ID cams that messes them up pretty bad. A long billed baseball cap is low tech protection against cameras placed too high. Etc.

Meanwhile, it's well known facial ID simply doesn't work with certain facial types at all.

But, Governments and corporations want us to use biometrics in part because they are so easy to take, have and keep for their own purposes.

I would like to see some really smart people emphatically beat biometrics and at the same time come up with a user-centric new form of authentication that transcends passwords. There's got to be something that works, for us, for a change.

AlejandroAugust 15, 2019 8:01 AM

@Trey

Yes!

https://www.idropnews.com/news/this-trick-could-let-you-bypass-face-id-with-just-glasses-and-tape/113955/

August 9, 2019 8:56 AM

"Face ID needs to still work with glasses, but can’t reliably capture the 3D facial information underneath, it falls back to a 2D scan of that area.

This allowed researchers to create a very simple prototype of “X-glasses” with a piece of black and white tape on the lenses that simulate where a user’s eyes would be...."

wiredogAugust 15, 2019 9:12 AM

" need to figure out how to put the glasses on an unconscious victim without waking them up."

This assumes you need the victim to be alive.

AlejandroAugust 15, 2019 9:29 AM

I suppose a quick acting anesthetic would be an alternative to homicide.

Alternately, simply waking the person up and holding them against their will, with the glasses on or off would work, too.

Regardless, biometrics is not for user security or convenience , it's for making attacks and abuse convenient for opponents.

Parry NoirAugust 15, 2019 9:36 AM

> The attack itself is difficult, given the bad actor would need to figure out how to put the glasses on an unconscious victim without waking them up.

I suspect that the attack may still work if the glasses are not put on the victim like normal glasses, i.e. secured using temples. The attacker can remove the temples from the special glasses and attach the frame to something, say a thin but stiff rod. The modified glasses can be held in front of the victim's eyes without touching the victim's face.

MattAugust 15, 2019 9:40 AM

> The attack itself is difficult, given the bad actor would need to figure out how to put the glasses on an unconscious victim without waking them up.

Alcohol

Sed Contra August 15, 2019 11:20 AM

But if already the person had fixed the broken bridge of their glasses by taping it, wouldn’t that be too much tape ?

JordanAugust 15, 2019 11:32 AM

@Warren: you got to it first :-)

These features are no good against determined opponents. But for determined opponents, rubber-hose cryptanalysis works awfully well.

These features are pretty good against attacks by your kids, your purported friends, and people who find your phone on the restaurant table where you left it.

BrianAugust 15, 2019 11:47 AM

Not just unconscious victims, but deceased victims and victims in vegetative states are at risk from these kinds of attacks.

WaelAugust 15, 2019 11:51 AM

@Warren,

The owner is an asset to some. An asset whose safety is often not considered.

By the way, there's at least one technical inaccuracy in the xkcd you shared.

Jan WillemAugust 15, 2019 12:15 PM

Having an identical twin sister or brother is enough. Also if friends and even steanger can see thev difference...

Clive RobinsonAugust 15, 2019 4:19 PM

@ Wael,

By the way, there's at least one technical inaccuracy in the xkcd you shared.

Would a spanner be just as sweet if called by any other name?

Perhaps, perchance a wrench?

(with apologies to Old Bill Shakespear)

kaosagntAugust 15, 2019 7:31 PM

Oh well the TSA now have a way of opening your iPhone....

TSA: Oh we don't need to use your finger any more, here, just put on these specially made glasses....

WaelAugust 15, 2019 10:50 PM

@Clive Robinson,

Would a spanner be just as sweet if called by any other name?

Probably!

First of all, the drive is encrypted with a symmetric key -- not an RSA key. Maybe the the symmetric key is wrapped with an RSA key... then....

Second of all, these are government employees; they can't get a wrench for $5 ;)

The third one is a false alarm. I read 4096 as 40%, which made little sense.

steveAugust 16, 2019 3:41 PM

Actually I thought 2y ago that it can be hacked but everyone said I was a conspiracy theorist.

RealFakeNewsAugust 18, 2019 6:21 AM

How many times now has facial ID or other forms of visual detection system been utterly overwhelmed by a piece of strategically placed tape?

You would have thought after the first major incident these people would work to try and detect such attempts before entering into the ID phase?

No attempts seem to be made at anti-spoofing.

For some applications I can see why - the visual processing already takes too long without adding more steps to the process (think road sign ID or pedestrian ID).

As for falling back on 2D scanning...major design flaw.

Why not simply fail and ask for a password?

Clive RobinsonAugust 19, 2019 3:02 AM

@ RealFakeNews,

As for falling back on 2D scanning...major design flaw.

From a security aspect, all systems that "fall back" to an earlier protocol are an open invitation to become a securiry failure.

However having a "fall back" in security systems is so common you would not believe just how bad it is. Part of the reason you don't know is that the system implementors make the fall back "transparent" so you as a user do not even get notified.

If seen a supposadly "high security" system involving encrypted communications that would "fall back" to unencrypted unauthenticated communications. And it was not the system designers fault, but those who implemented the design...

But you might have a couple of examples of this "fall back" in your pocket right now.

Firstly hose supposadly secure Chip-n-Pin bank cards? Ever wonder what happens if the chip gets damaged or tarnished / dirty contacts? Well someone outside of EMV decided to take a look... Apparently they do a "fall back" to mag-stripe, which every one involved with the design/implementation process must have known was a very bad idea. Because the repeated mantra for Chip-n-Pin was the greater security it gave over mag-stripe... Worse people were getting recipts that indicated the transaction had been carried out by Chip-n-Pin when in fact it had been mag-stripe...

The second is your GSM mobile, long term readers of this blog should know that 2G is hopelessly insecure, whilst 3G and 4G are way more secure (5G currently has some question marks hanging over it).

But all mobile phones for "reliability" "fall back" to 2G, which for the guard labour such as the "fat blue line" is exploited by fake cell towers or "inteceptors" that get called "Stingers" by some in part due to one of the first of very many such devices having the product name of Stingray. But it's also other branches of Guard Labour including prisons, army bases navy bases and just about any other puffed up US entity that takes it's self over seriously. Back in 2014 users of an expensive "crypto-phone" started reporting the warning messages they were getting and maps were made,

https://www.newsweek.com/what-cell-ls-those-ominous-phony-towers-268589

In the half decade since it's an almost certain bet the interceptors have got a lot lot less expensive, and that the number of users has sky rocketed. In fact if you hunt around you will find graduate type projects using maybe a $1000 of off the shelf components to do the same thing...

When you dig down into the reason implementors do "fall back" the answer boils down to the pretence of "reliability". That is "convenience trumps security" and the same people that insist on "fall back" are usually the ones that insist on it being "transparent to the user" so the user gets no idea about how unreliable the product is and that is "our friends" in marketing who's income is based on inflated price tags...

So remember next time you get told about some new whiz-bang neat security product, especially if it has a significantly higher price tag than similar products, the chances are that to be "reliable" it will almost certainly have built in "fall back" in security to maintain "customer safisfaction" thus justify the high price tag...

RealFakeNewsAugust 19, 2019 4:25 AM

@Clive:

I simply do not trust modern communications or hardware. I use them, but I don't trust them.

I guess the situation exists because people simply do not care. I had a "discussion" (more like argument) with a family member recently about social media and what they were posting. Their response was "I've got nothing to hide, so why do I care?".

People then wonder why they get scammed.

RealFakeNewsAugust 19, 2019 4:34 AM

@Clive:

I simply do not trust modern communications or hardware. I use them, but I don't trust them.

I guess the situation exists because people simply do not care. I had a "discussion" (more like argument) with a family member recently about social media and what they were posting. Their response was "I've got nothing to hide, so why do I care?".

People then wonder why they get scammed.

I'm old enough to remember analogue mobile phones back when they were new. They would show you the cell ID of every tower that was visible.

A trend that I dislike immensely is the apparent loss of "default" functionality as things "advance".

Now, aside from showing the network operator ID, the cell info is very hard to find if at all, without additional tools.

Despite my line of work, people are surprised that I'm almost anti-technology, but don't understand why when I explain.

I know the laws of "lowest common denominator" and "if it isn't required throw it out" apply, but the loss of some of this functionality "out the box" is what makes some of these attacks possible, as people are not only unaware it can happen, but have no easy way to check, either.

Clive RobinsonAugust 19, 2019 1:15 PM

@ ,

... as people are not only unaware it can happen, but have no easy way to check, either.

Which is the big problem with the likes of marketing deciding what the "user experience" should be like...

Personally I don't want to live in a "Rose scented opium den" there is no future to it. Nature gave me a pair of feet to stand on and a brain to think with, for a reason, and that's staying alive in a dangerous world by being aware. The more we take people away from "being aware of real life" with technology and the like the harder the fall will be.

Technology is like a rock, you can use it sensibly as a tool to make better tools to generally improve your life, or you can sit there like a plant just passively watching it thus becoming prey to anything that happens by, but the worst option is to use the rock as a tool of destruction which is what for some reason humans mainly end up doing with technology...

Currently we are seeing technology being used as a way to enslave us, and turn us into drones for ever turning over the fruits of our labour to those holding out their hands and demanding tribute, which they then use to further enslave the majority...

It's one of the reasons not so long ago that our host was warning of "serfdom" as certain people set themselves up to be neo-barons of the technical age.

Jimmy “Tuxedo” TongAugust 22, 2019 2:29 PM

@Clive

The more we take people away from "being aware of real life" with technology and the like the harder the fall will be.

“Right on, right on !!

- Last Emperor of Soul

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Sidebar photo of Bruce Schneier by Joe MacInnis.