Researchers have found a way to bypass Apple’s FaceID system using a pair of glasses and putting black tape on the lenses. According to a ThreatPost report, the method takes advantage of the liveness detection feature, which essentially determines whether the biometric being captured is of an actual person and not a mask or a photograph.
Researchers from Tencent put a black tape on both lenses of a pair of glasses, and white tape inside the black tape to carry out the attack. The modified glasses, dubbed "X-glasses" can then simply be put on the victim’s eyes when they are sleeping to unlock their phone. The researchers were then able to successfully transfer money using mobile payment on the victim’s phone once it was unlocked.
How a user’s eyes are scanned through liveness detection was exploited to launch the attack. The researchers took advantage of two key factors – the change in liveliness detection when a user is wearing glasses and that 3D information of the eye area is not extracted when a user is wearing glasses.
"They discovered that the abstraction of the eye for liveness detection renders a black area (the eye) with a white point on it (the iris)," the report read. But the attack is quite difficult to carry out as it demands the victim to be sleeping or unconscious when the glasses are put on him for the glasses to stay in place. And of course, the victim’s iPhone is needed.
Apple FaceID is touted by the company as among the "most advanced" security technologies on personal devices. But this is not the first time that a loophole in the FaceID has been exploited. In 2017, Wired reported that a team of researchers from Vietnamese security firm Bkav claimed to have fooled the FaceID authentication system using a composite 3D-printed mask. The security experts also posted a video on how they did this.