During the Black Hat USA 2019 security conference, some researchers showed that Apple’s Face ID can be bypassed during a very specific scenario.
According to them, Face ID has more chances of misidentifying you if you happen to wear glasses, since the feature does not go further to explore all the 3D information from the eye area because of them. So the researchers with Tencent took advantage of a feature of biometrics known as “liveness; detection. This process analyzes real vs, fake features when it comes to the users and detects background noise, response distortion or any strange focus blur that might appear.
According to the researchers “the abstraction of the eye for liveness detection renders a black area (the eye) with a white point on it (the iris)”. So, if the user happens to wear glasses, the liveness detection scan for the eyes shifts a little and becomes less accurate.
They took a pair of glasses, which they dubbed the X-glasses and put black tape on the lenses and white tape within the black one. If these glasses are placed on an unsuspecting victim (during the time they are asleep, for example) anyone could gain access to their phone.
By using this trick, the researchers managed to unlock a ‘victim’s’ phone and transfer his money via the mobile payment app.
Obviously, it wouldn’t be an easy thing to do and, while it sounds a little like something out of a comedy movie, you have to keep in mind that the idea behind the demonstration is that it can be done, especially if the victim is unconscious, which, in turn, shows a flaw in the Face ID system.
“It comes with challenges, you don’t want to wake up a sleeping victim, and 3D systems are difficult to forge… you want a low cost solution with a high success rate,” one of the researchers said.
“With the leakage of biometric data and the enhancement of AI fraud ability, liveness detection has become the Achilles’ heel of biometric authentication security as it is to verify if the biometric being captured is an actual measurement from the authorized live person who is present at the time of capture,” the researchers said during the session, titled “Biometric Authentication Under Threat: Liveness Detection Hacking.”
In terms of mitigations, the researchers suggested that the companies who manufacture biometrics add identity authentication for native cameras as well as increase “the weight of video and audio synthesis detection.”