There was a flaw in the liveness detection function of the biometric authentication system that is used by Apple for unlocking an iPhone using face recognition and that dangerous discovery has shocked attendees of the Black Hat hacker convention held in Las Vegas when cybersecurity researchers have managed to bypass the iPhone’s face recognition feature in just a mere 120 seconds and some things you can find in your desk.
Security measurements are made for our own protection. Making sure that your device is secured is one of the top-most priorities a device user needs to understand. The risk of hacks are always there, but it can still be minimized depending on the level of protection that the user places on his or her device.
FaceID is one of the best ways to secure your device, and it is also on par when it comes to thumbprint recognition. However, as demonstrated by the researches in Black Hat, it could still be exploited against the privacy of one person.
The researchers were able to alternatively access the iPhones of victims with the use of the face recognition feature. One hundred twenty seconds, it only took them 120 seconds to bypass a victims’ iPhone; in this, they needed three things: a pair of spectacles, some tape, and sleeping or unconscious iPhone user.
Black hat does not falter in producing some exciting security headlines every year, and the headlines this year has, so far, did not disappoint any of its readers. During a series of sessions checking the validity of the claim, Threatpost reported that researchers claim that “liveness detection has become the Achilles’ heel of biometric authentication security as it is to verify if the biometric being captured is an actual measurement from the authorized live person who is present at the time of capture.”
This is to solve the problem when it comes to biometric hacking; hackers use the flaws in the authentication with either the help of wax hands or even 3D-printed heads.
All these kinds of hacks require physical access to enable the devices function. Ironically speaking, they can even hack your device even if you are not physically present at the moment all they need is either a copy of biometrics or any facial recognition that is similar to yours.
How does it work?
The FaceID liveness process wouldn’t extract full 3D data around the eyes, thus leaving a loophole for the use of glasses. It looks for a black area for the eye with a white point upon it for the iris. With this, researchers try to imitate this function by using a sunglass with white tape and a black tape at the middle.
Allowing the white tape to be seen, this allows the FaceID to “recognize” it as the actual eyes. The process doesn’t end there; you still need to put the glasses on the sleeping victim and allow the facial recognition to operate and unlock the phone. This is because the phone will recognize the “white area” that has been placed on the glasses as the owner’s pupil and allowing it to unlock.
However, this may be the last time that you can say that it is simple. In the real world, it would be a struggle for the hackers to purposely locate the sleeping victim and place glasses on them to process a transfer of funds or any malicious acts on the user’s phone.
The hack is situational
The requirement for the hack is so situational that it might not even be possible to operate this in the real world. You may have the “X-glasses,” but it is nearly impossible to acquire a “sleeping victim” to put the glasses on. Also, if the phone is not set on facial recognition or FaceID, then it would be a lot harder to process the hack attempt.
However, iPhone users with FaceID turned on can still be left vulnerable for people that has access on them while they are sleeping or while they are unconscious – angry partner, friends, and even malicious acquaintances – all of them could use this vulnerability to creep into someone’s iPhone without them knowing.
Apple is now working to resolve this issue and update there liveness detection function in order to prevent future mishaps when it comes to the facial recognition feature.