Apple’s Face ID biometric security can be misled using a pair of glasses with tape attached to them, security researchers from Tencent have discovered. ThreatPost reports that the method is able to fool Face ID into thinking someone’s eyes are open, meaning it could allow hackers to gain access to a locked iPhone while its owner is asleep.
The reality of the hack, however, means that it’s unlikely to be of much practical use in a real-world context. A hacker would need to literally place a pair of glasses onto their target without them noticing, and then hold their phone up in front of them. It would be much easier for someone to simply force a target to look at their device, like one FBI agent did last year.
Tencent’s discovery sheds an interesting light on how Apple’s latest biometric security process works, however. The researchers realized that when a subject is wearing glasses, Face ID only tries to look for 2D rather than 3D information from the eye area. It’s then relatively easy to fake this 2D information with a black piece of tape with a white spot on it, which Face ID then mistakes for an open eye as part of its “liveness detection” mechanism. (You can see a picture of these so-called “X-Glasses” in ThreatPost’s report.) Since the rest of the face matches the iPhone’s biometric record, the phone unlocks.
This isn’t the first time security researchers have claimed to have discovered a vulnerability with Face ID. Back in 2017, Wired reported that the Vietnamese research firm Bkav released a video showing them unlocking someone’s phone using a complicated silicone mask with 2D eyes and lips printed on paper. However, this method relied on the team having access to either detailed measurements or a digital scan of their target’s face, which isn’t easy to come by.
In contrast, Apple’s previous biometric security method, Touch ID, was hacked within 24 hours of first going on sale, and it relies on having just a single high-resolution photograph of a fingerprint left behind on a surface. The following year, one security researcher showed how they could use these techniques to construct a working model of the German defense minister’s fingerprint using a high-resolution photo of their hand. You could also, obviously, just hold a target’s finger on their phone while they’re sleeping — no glasses required.