Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
×
Privacy Security Apple IT Technology

Researchers Bypass Apple FaceID Using Biometrics 'Achilles Heel' (threatpost.com) 53

Vulnerabilities have been uncovered in the authentication process of biometrics technology that could allow bad actors to bypass various facial recognition applications -- including Apple's FaceID. But there is a catch. Doing so requires the victim to be out cold. From a report: Researchers on Wednesday during Black Hat USA 2019 demonstrated an attack that allowed them to bypass a victim's FaceID and log into their phone simply by putting a pair of modified glasses on their face. By merely placing tape carefully over the lenses of a pair glasses and placing them on the victim's face the researchers demonstrated how they could bypass Apple's FaceID in a specific scenario. The attack itself is difficult, given the bad actor would need to figure out how to put the glasses on an unconscious victim without waking them up.

To launch the attack, researchers with Tencent tapped into a feature behind biometrics called "liveness" detection, which is part of the biometric authentication process that sifts through "real" versus "fake" features on people. It works by detecting background noise, response distortion or focus blur. One such biometrics tool that utilizes liveness detection is FaceID, which is designed and utilized by Apple for the iPhone and iPad Pro. "With the leakage of biometric data and the enhancement of AI fraud ability, liveness detection has become the Achilles' heel of biometric authentication security as it is to verify if the biometric being captured is an actual measurement from the authorized live person who is present at the time of capture," researchers said during the Black Hat USA 2019 session.

This discussion has been archived. No new comments can be posted.

Researchers Bypass Apple FaceID Using Biometrics 'Achilles Heel'

Comments Filter:
  • So they figured out an attack that requires physical access to the device and the victim's body with the victim being unconscious. Exactly why should any of us be concerned about this? Wake me when they have a threat that doesn't involve the plot of a Mission Impossible movie.

    • by Sique ( 173459 ) on Friday August 09, 2019 @01:11PM (#59070358) Homepage
      The problem with all biometrics: You can't change your key, if your key is compromised. Even if the actual compromitment was clumsy or otherwise not very likely to replicate, your key stays compromised, as your biometrics don't change.
      • "The problem with all biometrics: You can't change your key, if your key is compromised."

        That's why you don't use it for security.
        It's strictly for convenience.

      • To be fair, the scenario discussed requires the actual device to be present, so they haven't really copied the biometric for separate use. If one treats handset biometrics as convenience, not as a security panacea, then it's not too bad.
      • by Solandri ( 704621 ) on Friday August 09, 2019 @02:05PM (#59070788)
        Real security is
        • Something you have
        • plus something you know

        e.g. A TFA keychain token which generates a new code every 30 seconds, plus a password you've memorized.

        The way biometrics is being (ab)used for security right now is to substitute something you have so that you don't have to bother entering something you know. It's not security at all, it's just convenience. FaceID in particular will become obsolete once someone comes up with a hack to use the multiple cameras on phones to generate a 3D "scan" of a face, and 3D printers become ubiquitous enough to print a flexible mask of that scan. If someone hasn't done that in secret already.

        • by dissy ( 172727 )

          Real security is
          Something you have
          plus something you know

          No, those are forms of authentication, one component of security.

          It's not security at all, it's just convenience.

          Biometrics are identification, another component of security.
          The last part of security is authorization, what an authenticated identity is allowed to do.

          Your name, face, fingerprints, voice, etc are all forms of identification.
          Identification is used purely to identify you vs not-you. There are various spheres of uniqueness, and of course fully unique is ideal, but not always required.
          For example your name isn't globally unique, but odds are i

          • Awesome knowledge of the real world of credentials, biometrics and how the average person is not knowledgeable to the every day media sales pitch. The fact is no company can release or sell to the American public any device that is communication or related device without the US government having the ability and rights to access all data within a undisclosed time frame. Just give it a try, my personal challenge.
        • by Macdude ( 23507 )

          It's simpler than that, security requires two things:
          Identification (which biometrics does well) and authentication (which biometrics does horribly).

    • It's kind of on us at this point not to keep anything on our phones worth assault to obtain. That said, I'm sure homeland security wouldn't be opposed to tazing brown people to unlock their phones in case they might be terrorists.

    • by tlhIngan ( 30335 )

      So they figured out an attack that requires physical access to the device and the victim's body with the victim being unconscious. Exactly why should any of us be concerned about this? Wake me when they have a threat that doesn't involve the plot of a Mission Impossible movie.

      Plus, you only get 5 attempts at getting it right. Fail this and you need the PIN to reset it.

      And if you're so paranoid, you're free to not use biometrics. They are completely optional. It's just that Apple pretty much found out that m

    • "Exactly why should any of us be concerned about this?"

      Could the govt use this method to anesthetize an uncooperative individual in order to access their data via a warrant?

    • by hey! ( 33014 )

      Because that could incentivize someone to gain access to your unconscious body.

      Is that likely to happen to you? Probably not, but eventually it'll happen to someone, and it won't be pleasant for that person, who after all is a customer.

    • So they figured out an attack that requires physical access to the device and the victim's body with the victim being unconscious. Exactly why should any of us be concerned about this? Wake me when they have a threat that doesn't involve the plot of a Mission Impossible movie.

      What

      A Mission Impossible movie involves more than one good whack over the head, and extracting the device from a pocket.

  • Not even going to bother to link it, you've all see the $5 wrench bit.

    Lots easier than trying to sneak into someone's room while they are asleep and try to put special glasses on them.

    FaceID activates when presented with real users face, news at 11.... *rolls eyes*.

    • Gotta say, we don't often see eye to eye, but you have collected quite an AMAZING set of trolls to follow you around! I'm actually a bit jealous...
  • by phalse phace ( 454635 ) on Friday August 09, 2019 @12:32PM (#59070092)

    If this bypass "requires the victim to be out cold," then it's no bigger of a worry than Touch ID when the victim is out cold.

    • True, but also if it already has that data (that you're "out cold") should it really be unlocking phones in that scenario? Seems like a glaring oversight.

      • by phayes ( 202222 )

        ZZZZzzz...

        "Glaring" oversight?!? You clearly haven't given _any_ thought to how this far-fetched scenario could or should be avoided - Molehill sighted but no mountain in sight.

        ZZZZzzz...

        • I have had untrustworthy family members and roommates before. Apparently you haven't given any thought to this.

          • I have had untrustworthy family members and roommates before. Apparently you haven't given any thought to this.

            Totally agree. Not totally foolproof, but good enough to keep those folks out.

    • then it's no bigger of a worry than Touch ID when the victim is out cold.

      Which is relevant to current generation Apple phones how?

  • Knocking someone out to put on glasses is quite easy.

  • by the_skywise ( 189793 ) on Friday August 09, 2019 @12:44PM (#59070172)
    That's a literal, actual, feature in FaceID - turning off eye contact in the face recognition, which I do have turned off so I can unlock the phone when I have my sunglasses on.
    I had a buddy's GF unlock his iPhone with touchId using his thumb while he slept to check up on him (he woke up and a great argument ensued)
    Likewise I don't expect FaceID will protect me from getting knocked out and mugged and then they pry my eyelids open to unlock my phone! (let alone use my finger with touchId). It's biometrics for cryin' out loud - not 2FA!
  • by sinij ( 911942 ) on Friday August 09, 2019 @12:47PM (#59070200)
    I often take my face off at home to air out my lizard scales, they can get itchy in cold 100F weather, and occasionally forget where I put it. You know, kind of like when you can't find your car keys. So now I have another way to unlock my iPhone when this happens.
  • Comment removed based on user account deletion
  • That could be handy in many legal and of course illegal operations.

  • This is a method to break into someone's phone without them knowing about it. If the police wanted to break into your phone, why wouldn't they just hold it up to your face?
    Policeman: "What is this white nationalist screed on your phone? Were you meaning to kill people?"
    Suspect: "What are you talking about? Let me see!"
    Policeman: "Thank you."

  • Please define "bypass" for me LOL
  • Except when you look further into it and realize that it is just going to deter the casual crooks. As an extra bonus, once your biometrics-based security is compromised, what can you do? Are you going to change your fingerprints or pluck out your eye?
    • it is just going to deter the casual crooks

      Fortunately, most of us aren't worried about being the target of a "Mission Impossible"-style heist.

      As an extra bonus, once your biometrics-based security is compromised, what can you do?

      Presumably I would go back to password-based security?

      Biometric authentication without a proper second factor isn't appropriate for a lot of use cases, but for accessing the average user's smartphone, it falls comfortably in "good enough" territory.

As of next week, passwords will be entered in Morse code.

Working...