There are plenty of vulnerabilities in the biometrics that are commonly used for unlocking devices today, including fingerprint readers and Apple's Face ID. Researchers at the Black Hat USA 2019 conference this week demonstrated a new attack that allowed them to bypass a victim's Face ID and login to the user's phone. However, the method that the hackers had to use is a little disturbing, as they had to use an unconscious victim and place a pair of modified glasses on their face.
To pull off the hack, the researchers placed tape carefully over the lenses of a pair of glasses and then put the glasses on the victim's face to show how Face ID could be bypassed in this specific scenario. The exploit would be a hard one to pull off in the real world as the hackers would need access to the unconscious or sleeping victim and be able to place the glasses on their face without waking them up.
The researchers who devised the hack are with Tencent, and they exploited a feature of biometrics called "liveness" detection. This is part of the biometric authentication process that sifts through real vs. fake features of people. It works by detecting the background noise, response distortion, or focus blur. Apple's Face ID authentication protocol uses that liveness detection feature.
The researchers say that liveness detection is the "Achilles' Heel" of Apple's Face ID biometric authentication security. The team hoped to bypass biometric security without elaborate hacks simply using the face of the user while they were unconscious. They focused on how liveness detection scans a user's eyes and found that the abstraction of the eye for liveness detection renders a black area, the eye, with a white point on the iris.
When the user is wearing glasses, the way that liveness detection scans the eyes changes, the team says that when users are wearing glasses, Face ID doesn't extract 3D information from the eye area. The team placed black tape on the glasses and put them on the sleeping victim's face to bypass the attention mechanics and unlock the victim's phone. They then transferred money through a mobile payment app. Drawbacks to the hack include that the victim has to be unconscious and can't wake up when the glasses are on their face. In the past, two unrelated Chinese women were able to unlock their iPhone using Face ID.