LAS VEGAS – Vulnerabilities have been uncovered in the authentication process of biometrics technology that could allow bad actors to bypass various facial recognition applications – including Apple’s FaceID. But there is a catch. Doing so requires the victim to be out cold.
Researchers on Wednesday during Black Hat USA 2019 demonstrated an attack that allowed them to bypass a victim’s FaceID and log into their phone simply by putting a pair of modified glasses on their face. By merely placing tape carefully over the lenses of a pair glasses and placing them on the victim’s face the researchers demonstrated how they could bypass Apple’s FaceID in a specific scenario. The attack itself is difficult, given the bad actor would need to figure out how to put the glasses on an unconscious victim without waking them up.
To launch the attack, researchers with Tencent tapped into a feature behind biometrics called “liveness” detection, which is part of the biometric authentication process that sifts through “real” versus “fake” features on people. It works by detecting background noise, response distortion or focus blur. One such biometrics tool that utilizes liveness detection is FaceID, which is designed and utilized by Apple for the iPhone and iPad Pro.
“With the leakage of biometric data and the enhancement of AI fraud ability, liveness detection has become the Achilles’ heel of biometric authentication security as it is to verify if the biometric being captured is an actual measurement from the authorized live person who is present at the time of capture,” researchers said during the Black Hat USA 2019 session, titled “Biometric Authentication Under Threat: Liveness Detection Hacking.”
While previous attacks have focused on generating fake data to bypass biometrics, these types of audio or video attacks consist of various components – including stealing the victims’ device fingerprint, generating fake audio and video, and hardware-level inject – and involve several moving parts, Zhuo Ma, with Tencent Security, said.
Instead, researchers decided to focus on liveness detection, which allows users to unlock their phone with one glance, hoping to bypass the feature by using an actual victim’s face while they are unconscious.
“It comes with challenges, you don’t want to wake up a sleeping victim, and 3D systems are difficult to forge… you want a low cost solution with a high success rate,” said Ma.
Researchers specifically honed in on how liveness detection scans a user’s eyes. They discovered that the abstraction of the eye for liveness detection renders a black area (the eye) with a white point on it (the iris). And, they discovered that if a user is wearing glasses, the way that liveness detection scans the eyes changes.
“After our research we found weak points in FaceID… it allows users to unlock while wearing glasses… if you are wearing glasses, it won’t extract 3D information from the eye area when it recognizes the glasses.”
Putting these two factors together, researchers created a prototype of glasses – dubbed “X-glasses” – with black tape on the lenses, and white tape inside the black tape. Using this trick they were then able to unlock a victim’s mobile phone and then transfer his money through mobile payment App by placing the tape-attached glasses above the sleeping victim’s face to bypass the attention detection mechanism of both FaceID and other similar technologies.
The attack comes with obvious drawbacks – the victim must be unconscious, for one, and can’t wake up when the glasses are placed on their face. However, it does show the weaknesses behind the security and design of liveness detection and biometrics in general, researchers said.
In terms of mitigations, researchers suggested that biometrics manufacturers add identity authentication for native cameras and increase the weight of video and audio synthesis detection.
Biometrics have been at the center of attention this year as security experts wonder whether the new technology will create increased security or a new threat attack vector. It was discussed widely at Black Hat USA 2018 as well, with new vulnerabilities in voice authentication being uncovered.
Black Hat USA 2019 has kicked off this week in Las Vegas. For more Threatpost breaking news, stories and videos from Black Hat and DEF CON, click here.