Let's be clear that this "hack" still needs the face of the person who is already keyed for the device. This only allows a person who wears glasses to allow someone to use their phone on their face to unlock Face ID without their consent if they happen to be unconscious after making a pair of augmented glasses, assuming that their picking up the iPhone doesn't trigger Face ID and the subsequently disabling of Face ID before they can execute this "hack".
You say that but what if I’m walking down the street and someone lifts my phone from my pocket, then they shout “Hey you!” When I look round they stick a pair of glasses with tape on my face and unlock my phone, even if I close my eyes in time!
i wasn’t worried about someone unlocking my phone with TouchID while I was asleep, so I’m certainly not going to worry about this.
A scenario that comes to mind is your partner/friend/someone hanging out partying or whoever passed out and this glasses trickery being used to unlock their phone while they're incapacitated.
What is the likelihood of all those factors lining up? I think I have a better chance of winning the lottery than being passed out drunk at a party and someone wanting to get into my iPhone without my knowledge. In my case that doesn't even require the rigamarole of special glasses (even if I wore glasses) because I'm still using an iPhone 7 Plus and my finger would work just fine when I'm passed out.
Probably right Soli, but I do know of an extended family member with an XR who drinks FAR too much and passes out kinda regularly. Someone unlocking his phone while he's out definitely should not be his biggest concern tho. Can't talk him into rehab either.
So how is this person protected with the more common fingerprint devices? Passed out is passed out.
People try so hard to make mountains out of molehills.
Let's be clear that this "hack" still needs the face of the person who is already keyed for the device. This only allows a person who wears glasses to allow someone to use their phone on their face to unlock Face ID without their consent if they happen to be unconscious after making a pair of augmented glasses, assuming that their picking up the iPhone doesn't trigger Face ID and the subsequently disabling of Face ID before they can execute this "hack".
You say that but what if I’m walking down the street and someone lifts my phone from my pocket, then they shout “Hey you!” When I look round they stick a pair of glasses with tape on my face and unlock my phone, even if I close my eyes in time!
i wasn’t worried about someone unlocking my phone with TouchID while I was asleep, so I’m certainly not going to worry about this.
A scenario that comes to mind is your partner/friend/someone hanging out partying or whoever passed out and this glasses trickery being used to unlock their phone while they're incapacitated.
What is the likelihood of all those factors lining up? I think I have a better chance of winning the lottery than being passed out drunk at a party and someone wanting to get into my iPhone without my knowledge. In my case that doesn't even require the rigamarole of special glasses (even if I wore glasses) because I'm still using an iPhone 7 Plus and my finger would work just fine when I'm passed out.
Let's be clear that this "hack" still needs the face of the person who is already keyed for the device. This only allows a person who wears glasses to allow someone to use their phone on their face to unlock Face ID without their consent if they happen to be unconscious after making a pair of augmented glasses, assuming that their picking up the iPhone doesn't trigger Face ID and the subsequently disabling of Face ID before they can execute this "hack".
You say that but what if I’m walking down the street and someone lifts my phone from my pocket, then they shout “Hey you!” When I look round they stick a pair of glasses with tape on my face and unlock my phone, even if I close my eyes in time!
i wasn’t worried about someone unlocking my phone with TouchID while I was asleep, so I’m certainly not going to worry about this.
A scenario that comes to mind is your partner/friend/someone hanging out partying or whoever passed out and this glasses trickery being used to unlock their phone while they're incapacitated.
What is the likelihood of all those factors lining up? I think I have a better chance of winning the lottery than being passed out drunk at a party and someone wanting to get into my iPhone without my knowledge. In my case that doesn't even require the rigamarole of special glasses (even if I wore glasses) because I'm still using an iPhone 7 Plus and my finger would work just fine when I'm passed out.
any university ever!
Then Touch ID was a completely pointed security convenience... and you didn't even need to be an eyeglass wearer to bypass it.
Breaking only a single component in a security product is similar to breaking a link in a chain. The chain is now broken. Thieves will specifically attack the weak link in a chain. Thieves aren't dumb. They always go for the weakest link. If one link is weak, the whole chain is weak. I don't care if five of the links are made from Adamantium - if one link is made from toilet paper the chain is weak.
If someone doesn't read the article and they freak out, that's on them. If they don't read the article and say Face ID is crappy, so what? Just ignore them or if it bothers you, correct their incorrect assumption. Simply put, this is not a good look no matter how you look at it. A vaunted security feature bypassed by $2 worth of supplies. No 3D printer, no sophisticated masks or prosthetic pieces. No Mission Impossible dangling from a rope inches above the floor. Nope. Just a quick hop over to Walmart and you're good to go. As I said, I think Apple focused on high tech intrusion, not anything like this. Their fix shouldn't be that hard to come up with imo.
Why go to Walmart? Take the glasses from the person that already has to be wearing them to setup Face ID with glasses and then put tape on them before putting them back on the face of the iPhone owner to get into their device. Despite your comment saying how obvious it is you still failed to not it requires all these very odd circumstances to use this "hack" effectively.
I think you're failing to understand the point. Face ID can be defeated by a solution that is so low tech and cheap that it's absurd. That "X-Glasses kit" from the picture I attached is all that is needed to bypass Face ID. Stick the kit on someone's face, hold their phone up, and voila. ← That's exactly how the hack works. There are no very odd circumstances. Bypassing Face ID should never be that easy. That's the point.
You can also knock a person out and stick their finger on a fingerprint sensor.
You people try so hard.
You don't try hard enough... to think. How exactly does Touch ID having vulnerabilities change the fact that Face ID got low tech spoofed easily? It doesn't. You should try to do something other than your regular deflection shtick. It is nothing more than a tedious annoyance. "Hey, I know the subject is this issue right here, but I'm just gonna start tossin' dirt on other stuff. I honestly don't think you know any other form of interaction besides trying to place blame elsewhere.
Do you actually have a relevant opinion on this topic? Or are you going to continue throwing dirt to deflect. Let's see, you've already deflected using Samsung and Touch ID. What's next? Gonna say someone could hold a person at gun point and force them to give up their password. /s
Breaking only a single component in a security product is similar to breaking a link in a chain. The chain is now broken. Thieves will specifically attack the weak link in a chain. Thieves aren't dumb. They always go for the weakest link. If one link is weak, the whole chain is weak. I don't care if five of the links are made from Adamantium - if one link is made from toilet paper the chain is weak.
So how come we never read about the drunk college student Touch ID epidemic?
If someone doesn't read the article and they freak out, that's on them. If they don't read the article and say Face ID is crappy, so what? Just ignore them or if it bothers you, correct their incorrect assumption. Simply put, this is not a good look no matter how you look at it. A vaunted security feature bypassed by $2 worth of supplies. No 3D printer, no sophisticated masks or prosthetic pieces. No Mission Impossible dangling from a rope inches above the floor. Nope. Just a quick hop over to Walmart and you're good to go. As I said, I think Apple focused on high tech intrusion, not anything like this. Their fix shouldn't be that hard to come up with imo.
Why go to Walmart? Take the glasses from the person that already has to be wearing them to setup Face ID with glasses and then put tape on them before putting them back on the face of the iPhone owner to get into their device. Despite your comment saying how obvious it is you still failed to not it requires all these very odd circumstances to use this "hack" effectively.
I think you're failing to understand the point. Face ID can be defeated by a solution that is so low tech and cheap that it's absurd. That "X-Glasses kit" from the picture I attached is all that is needed to bypass Face ID. Stick the kit on someone's face, hold their phone up, and voila. ← That's exactly how the hack works. There are no very odd circumstances. Bypassing Face ID should never be that easy. That's the point.
You can also knock a person out and stick their finger on a fingerprint sensor.
You people try so hard.
You don't try hard enough... to think. How exactly does Touch ID having vulnerabilities change the fact that Face ID got low tech spoofed easily? It doesn't. You should try to do something other than your regular deflection shtick. It is nothing more than a tedious annoyance. "Hey, I know the subject is this issue right here, but I'm just gonna start tossin' dirt on other stuff. I honestly don't think you know any other form of interaction besides trying to place blame elsewhere.
Do you actually have a relevant opinion on this topic? Or are you going to continue throwing dirt to deflect. Let's see, you've already deflected using Samsung and Touch ID. What's next? Gonna say someone could hold a person at gun point and force them to give up their password. /s
I do think, which is why I recognize bonehead troll tropes when I see them. Your pattern of posting history makes it very plain to see...you now purport there to be an immense Apple security problem where there isn’t, as shown by the many years of Touch ID and your crappy knockoffs with their fingerprint sensors. The whole “They’re gonna knock you out and put these glasses on you!” schtick is silly bullshit, nothing more. No more valid than the FUD pellets people like you dropped from your behind for Touch ID — “Muggers will cut your fingers off! The government will force your finger onto the sensor!” Then the “Hey, you!” fear mongering. Then the AirPod “Muggers will pluck them out of your ears on a bicycle!” Blah blah blah... All silly bullshit, none of which came to pass, just like this Groucho Marx nonsense.
Apple will likely resolve any exposed weakness in the “liveness” detection so it’s just academic anyway. Heckler self-pleasuring, nothing more.
Their bypass consists of a cheap pair of glasses and two pieces of tape. Approx. $2 worth of material to bypass a billion dollar security system. Whodathunkit? ¯\_(ツ)_/¯
Obvious you haven't thunk this all the way through. The hack requires glasses that the iPhone owner wears or have worn before, to unlock their iPhone. Not just any pair of glasses. When the article states that ........... "If you are wearing glasses, it won't extract 3D information from the eye area when it recognizes the glasses." ...... it means that the software must recognize the glasses as ones that the iPhone owner wears or have worn before, before it will not require the 3D info around the eyes. Info like whether they are open or close.
That negates your thunking that any $1.99 pair of Walgreen bifocals will work. If the iPhone owner have never unlocked their iPhone wearing glasses, then no cheap pair of glasses will ever work with this hack because the software will not recognize the glasses. And if the iPhone owner does wear glasses or worn glasses before to unlock the iPhone, then it requires the hacker to use those glasses, so the software can recognize them as the ones the iPhone owner wears or worn before. Even if they are cheap $1.99 glasses, not any cheap $1.99 gasses will work.
This is why placing tape over the lenses (not the frame) to cover the eyes only works if the software recognizes the glasses and thus bypassing the need for 3D info around the user's eyes when unlocking. If the software doesn't recognize the glasses, then it won't unlock without the 3D info around the eyes.
It is not ....... if the software determines the the user is wearing glasses ........ , that it will bypass gathering the 3D info around the users eyes. That's when the hack would work with a pair of $1.99 glasses and a bigger security threat.
The biggest security risk is if the iPhone owner falls asleep with their glasses on or left nearby, one can get hold of the glasses, place tape over the lens and place it back on the iPhone owner's face to unlock the iPhone. I can see iPhone owners kids doing this to add money into their iTunes accounts.
If someone doesn't read the article and they freak out, that's on them. If they don't read the article and say Face ID is crappy, so what? Just ignore them or if it bothers you, correct their incorrect assumption. Simply put, this is not a good look no matter how you look at it. A vaunted security feature bypassed by $2 worth of supplies. No 3D printer, no sophisticated masks or prosthetic pieces. No Mission Impossible dangling from a rope inches above the floor. Nope. Just a quick hop over to Walmart and you're good to go. As I said, I think Apple focused on high tech intrusion, not anything like this. Their fix shouldn't be that hard to come up with imo.
Why go to Walmart? Take the glasses from the person that already has to be wearing them to setup Face ID with glasses and then put tape on them before putting them back on the face of the iPhone owner to get into their device. Despite your comment saying how obvious it is you still failed to not it requires all these very odd circumstances to use this "hack" effectively.
I think you're failing to understand the point. Face ID can be defeated by a solution that is so low tech and cheap that it's absurd. That "X-Glasses kit" from the picture I attached is all that is needed to bypass Face ID. Stick the kit on someone's face, hold their phone up, and voila. ← That's exactly how the hack works. There are no very odd circumstances. Bypassing Face ID should never be that easy. That's the point.
You can also knock a person out and stick their finger on a fingerprint sensor.
You people try so hard.
You don't try hard enough... to think. How exactly does Touch ID having vulnerabilities change the fact that Face ID got low tech spoofed easily? It doesn't. You should try to do something other than your regular deflection shtick. It is nothing more than a tedious annoyance. "Hey, I know the subject is this issue right here, but I'm just gonna start tossin' dirt on other stuff. I honestly don't think you know any other form of interaction besides trying to place blame elsewhere.
Do you actually have a relevant opinion on this topic? Or are you going to continue throwing dirt to deflect. Let's see, you've already deflected using Samsung and Touch ID. What's next? Gonna say someone could hold a person at gun point and force them to give up their password. /s
I do think, which is why I recognize bonehead troll tropes when I see them. Your pattern of posting history makes it very plain to see...you now purport there to be an immense Apple security problem where there isn’t, as shown by the many years of Touch ID and your crappy knockoffs with their fingerprint sensors. The whole “They’re gonna knock you out and put these glasses on you!” schtick is silly bullshit, nothing more. No more valid than the FUD pellets people like you dropped from your behind for Touch ID — “Muggers will cut your fingers off! The government will force your finger onto the sensor!” Then the “Hey, you!” fear mongering. Then the AirPod “Muggers will pluck them out of your ears on a bicycle!” Blah blah blah... All silly bullshit, none of which came to pass, just like this Groucho Marx nonsense.
Apple will likely resolve any exposed weakness in the “liveness” detection so it’s just academic anyway. Heckler self-pleasuring, nothing more.
You're an abject liar. You are the one who brought up Touch ID. There's nothing negative about Touch ID in any of my posts. There's nothing in any of my quotes about knocking someone out. All that shit you're trotting out and trying to attribute to me? Piss off with that nonsense. There's nothing in my posting history like that. It's open so anyone can see what a liar you are. And no, you don't think. Otherwise you wouldn't try to pin outright lies on me. I would say it's intentional but it's more likely Hanlon's Razor.
How exactly does Touch ID having vulnerabilities change the fact that Face ID got low tech spoofed easily?
Except it didn't. You need the person's actual face, and actual glasses they wore when they set up FaceID. FaceID did not get "low tech spoofed". This is a couple of wannabe BlackHats trrying to make a name for themselves. This technique is useless in the real world because if you have everything you need, just make the person unlock the bloody phone.
Meanwhile, Samsung/Android's face recognition remains fooled by basically anything even vaguely resembling the original person, and of course they caution that while you can choose to use it for unlocking your device, it can't be used for financial transactions or anything where, you know, security comes into play.
Friend of mine was showing off his new Samsung S9 (I think it was) and bragging that it had "Face ID." Up pops this tiny round window he had to position his face in and hold still for a few seconds, and then it unlocked. "Cool!" I said politely. "See if you can get it to unlock!" he said.
This is scam. Most probably Face ID was initially set up with that pair of glasses.
Face ID recognition is based on the topography of the face, not on the location of the eyes. The eyes are used only in gaze detection, and that can also be disabled in Settings.
“When a face is detected, Face ID confirms attention and intent to unlock by detecting that your eyes are open and directed at your device; for accessibility, this is disabled when VoiceOver is activated or can be disabled separately, if required.
Once it confirms the presence of an attentive face, the TrueDepth camera projects and reads over 30,000 infrared dots to form a depth map of the face, along with a 2D infrared image. This data is used to create a sequence of 2D images and depth maps, which are digitally signed and sent to the Secure Enclave.”
The sequence of events described by Apple does not match their description. The eyes are used in only the first phase: attention detection. Once the attention is detected then the second phase, true face recognition begins: 30,000 infrared dots...
How exactly does Touch ID having vulnerabilities change the fact that Face ID got low tech spoofed easily?
Except it didn't. You need the person's actual face, and actual glasses they wore when they set up FaceID. FaceID did not get "low tech spoofed". This is a couple of wannabe BlackHats trrying to make a name for themselves. This technique is useless in the real world because if you have everything you need, just make the person unlock the bloody phone.
I don't think the report is stating you need to use the person's actual glasses or even glasses he's ever worn before. Not sure he/she even has to be someone who wears glasses regularly. Reading the source report implies it's glasses, any glasses, and what Apple's FaceID does when they are detected. Perhaps that will get clarified within a day or so.
IMHO it's not that much of an issue anyway, and Apple will eventually craft a way of fixing it, probably sooner rather than later.
By the time you put glasses on an unconscious victim that has been paired with the phone before, it’s easier to quickly chop off a finger and TouchID a device.
Let's be clear that this "hack" still needs the face of the person who is already keyed for the device. This only allows a person who wears glasses to allow someone to use their phone on their face to unlock Face ID without their consent if they happen to be unconscious after making a pair of augmented glasses, assuming that their picking up the iPhone doesn't trigger Face ID and the subsequently disabling of Face ID before they can execute this "hack".
You say that but what if I’m walking down the street and someone lifts my phone from my pocket, then they shout “Hey you!” When I look round they stick a pair of glasses with tape on my face and unlock my phone, even if I close my eyes in time!
i wasn’t worried about someone unlocking my phone with TouchID while I was asleep, so I’m certainly not going to worry about this.
A scenario that comes to mind is your partner/friend/someone hanging out partying or whoever passed out and this glasses trickery being used to unlock their phone while they're incapacitated.
I don’t know... Don’t get incapacitated in public?
Let's be clear that this "hack" still needs the face of the person who is already keyed for the device. This only allows a person who wears glasses to allow someone to use their phone on their face to unlock Face ID without their consent if they happen to be unconscious after making a pair of augmented glasses, assuming that their picking up the iPhone doesn't trigger Face ID and the subsequently disabling of Face ID before they can execute this "hack".
You say that but what if I’m walking down the street and someone lifts my phone from my pocket, then they shout “Hey you!” When I look round they stick a pair of glasses with tape on my face and unlock my phone, even if I close my eyes in time!
i wasn’t worried about someone unlocking my phone with TouchID while I was asleep, so I’m certainly not going to worry about this.
A scenario that comes to mind is your partner/friend/someone hanging out partying or whoever passed out and this glasses trickery being used to unlock their phone while they're incapacitated.
Another scenario.
How many law enforcement agents does it take to implement this technique?
LOL!
Sure beats the crummy knockoffs that can be fooled with a photo on another device. Oh but that’s on,y meant for “convenience” not security! riiiight.
That's right. 'not security' so it couldn't be used for things like payments in the first place!
As for being fooled with a photo, is that still the case for those phones? 2D systems have come a long way since then.
Comments
So how is this person protected with the more common fingerprint devices? Passed out is passed out.
People try so hard to make mountains out of molehills.
You don't try hard enough... to think. How exactly does Touch ID having vulnerabilities change the fact that Face ID got low tech spoofed easily? It doesn't. You should try to do something other than your regular deflection shtick. It is nothing more than a tedious annoyance. "Hey, I know the subject is this issue right here, but I'm just gonna start tossin' dirt on other stuff. I honestly don't think you know any other form of interaction besides trying to place blame elsewhere.
Do you actually have a relevant opinion on this topic? Or are you going to continue throwing dirt to deflect. Let's see, you've already deflected using Samsung and Touch ID. What's next? Gonna say someone could hold a person at gun point and force them to give up their password. /s
Apple will likely resolve any exposed weakness in the “liveness” detection so it’s just academic anyway. Heckler self-pleasuring, nothing more.
That negates your thunking that any $1.99 pair of Walgreen bifocals will work. If the iPhone owner have never unlocked their iPhone wearing glasses, then no cheap pair of glasses will ever work with this hack because the software will not recognize the glasses. And if the iPhone owner does wear glasses or worn glasses before to unlock the iPhone, then it requires the hacker to use those glasses, so the software can recognize them as the ones the iPhone owner wears or worn before. Even if they are cheap $1.99 glasses, not any cheap $1.99 gasses will work.
This is why placing tape over the lenses (not the frame) to cover the eyes only works if the software recognizes the glasses and thus bypassing the need for 3D info around the user's eyes when unlocking. If the software doesn't recognize the glasses, then it won't unlock without the 3D info around the eyes.
It is not ....... if the software determines the the user is wearing glasses ........ , that it will bypass gathering the 3D info around the users eyes. That's when the hack would work with a pair of $1.99 glasses and a bigger security threat.
The biggest security risk is if the iPhone owner falls asleep with their glasses on or left nearby, one can get hold of the glasses, place tape over the lens and place it back on the iPhone owner's face to unlock the iPhone. I can see iPhone owners kids doing this to add money into their iTunes accounts.
FaceID did not get "low tech spoofed". This is a couple of wannabe BlackHats trrying to make a name for themselves. This technique is useless in the real world because if you have everything you need, just make the person unlock the bloody phone.
Friend of mine was showing off his new Samsung S9 (I think it was) and bragging that it had "Face ID." Up pops this tiny round window he had to position his face in and hold still for a few seconds, and then it unlocked. "Cool!" I said politely. "See if you can get it to unlock!" he said.
You'll never guess what happened next.
Face ID recognition is based on the topography of the face, not on the location of the eyes. The eyes are used only in gaze detection, and that can also be disabled in Settings.
Here is the whitepaper:
https://www.apple.com/business/site/docs/FaceID_Security_Guide.pdf
“When a face is detected, Face ID confirms attention and intent to unlock by detecting that your eyes are open and directed at your device; for accessibility, this is disabled when VoiceOver is activated or can be disabled separately, if required.
The sequence of events described by Apple does not match their description. The eyes are used in only the first phase: attention detection. Once the attention is detected then the second phase, true face recognition begins: 30,000 infrared dots...
No, not really. Bigly fail. Really big.
IMHO it's not that much of an issue anyway, and Apple will eventually craft a way of fixing it, probably sooner rather than later.
As for being fooled with a photo, is that still the case for those phones? 2D systems have come a long way since then.