Let's see – clean shirt, new shoes, silk suit, black tie, gold watch, diamond ring, cufflinks, stick pin... Oh, and a pair of glasses, scissors, black tape, and white tape.
Yep, I'm ready to party
Isn't one of the features of Face ID the ability to recognize an authorized user if he or she should don a pair of glasses (not necessarily sunglasses)?
Let's see – clean shirt, new shoes, silk suit, black tie, gold watch, diamond ring, cufflinks, stick pin... Oh, and a pair of glasses, scissors, black tape, and white tape.
Yep, I'm ready to party
Isn't one of the features of Face ID the ability to recognize an authorized user if he or she should don a pair of glasses (not necessarily sunglasses)?
I believe you are correct, another reason why I don't believe this "hack" requires a pair of glasses that your FaceID has seen before. There's folks out there who regularly change their eyeglasses to match what they're wearing, and others who don't even wear glasses but will occasionally do so as a fashion statement. Looking thru Apple FAQ's and support articles a properly set up FaceID should work whether you are wearing (your) glasses or not.
I don't think there's been any claim from the security researchers that the victim's own glasses, and especially ones previously scanned by the system, are needed. I suspect someone grabbed that and ran with it, and it ends up being parroted. I don't believe whoever initially made that claim understands how FaceID is designed to work. If I'm wrong please do jump in to correct me, like I would have to ask. LOL
This isn't a major issue anyway. Apple will address it.
Obvious you haven't thunk this all the way through. The hack requires glasses that the iPhone owner wears or have worn before, to unlock their iPhone. Not just any pair of glasses. When the article states that ........... "If you are wearing glasses, it won't extract 3D information from the eye area when it recognizes the glasses." ...... it means that the software must recognize the glasses as ones that the iPhone owner wears or have worn before, before it will not require the 3D info around the eyes. Info like whether they are open or close.
Got a source for that claim about the glasses? Based on your quote, you're going by what you think that excerpted portion means, not what it means. That's open for interpretation because the researchers never specify. "Recognize the glasses" could easily mean recognize that glasses are on, not a specific pair of glasses. Afaik, Face ID can recognize a registered face behind glasses regardless of whether or not they've been seen before. So your theory doesn't really hold water. But hey, if you have a source that says differently, I'd love to see it. Cuz I'm sure you thunk that through. All the way.
This was pretty easy to test. Just a few weeks ago I started wearing sunglasses. Face ID did not initially unlock for me with the glasses on but it learned to. I always wear the same sunglasses and no longer have an issue using Face ID with them on.
Just now I tried on 2 pairs of my SO’s sunglasses. 1 pair was similar to mine and the other pair was not. I successfully unlocked using Face ID on the first try with both pairs.
Clearly Face ID did not have to “learn” the “new” sunglasses on my face.
It is, but it's about 3/4 of the way through the article. How many people will read that before either freaking out or, more likely, use it as a jumping off point to say how crappy Face ID and Apple are?
Me? Anyway let's be even more clear, any bit of FaceID that can be defeated will help in creating a full exploit.
It's like saying, it doesn't matter somebody cracked one of my door locks because I have two more. It does matter. Would be nice if they asked "do you wear glasses?" or just had a setting where I can make FaceID more secure. I don't have glasses and I won't suddenly put glasses on either. I was somewhat surprised face ID seemed to work even when I had my motorcycle helmet on... it kinda shouldn't???
How exactly will an exploit be created from this that will not require the actual user to unlock it with their face? You might as well claim that Touch ID is inherently flawed because someone could still your finger to unlock the device when you're passed out or unconscious.
While the theory is sound in that it can defeat Face ID, the attack is only really useful against unconscious victims, requiring both physical access and the tricky move of placing glasses on their face without waking them up.
Because no one would ever deliberately drug someone or knock them unconscious to take advantage of them.
The fact that other security systems have vulnerabilities, and that some of those vulnerabilities are worse than this one, doesn't change the fact that this is a vulnerability, and one that doesn't take expensive tech to implement. Even if Face ID is still more secure than any other system on the planet, this is still a vulnerability, and there will be bad actors who will consider deliberately slipping a drug into some high roller's drink, unlocking their phone using this stupidly simple hack, and spending all their money. If I, a simple office worker guy, can think of something like that, then some bad actor already has.
The fact that Face ID might still be more secure than others is completely irrelevant. As was posted prior, even if every other component of Face ID is made of adamantium, this toilet paper bit makes the entire thing weak.
While the theory is sound in that it can defeat Face ID, the attack is only really useful against unconscious victims, requiring both physical access and the tricky move of placing glasses on their face without waking them up.
Because no one would ever deliberately drug someone or knock them unconscious to take advantage of them.
The fact that other security systems have vulnerabilities, and that some of those vulnerabilities are worse than this one, doesn't change the fact that this is a vulnerability, and one that doesn't take expensive tech to implement. Even if Face ID is still more secure than any other system on the planet, this is still a vulnerability, and there will be bad actors who will consider deliberately slipping a drug into some high roller's drink, unlocking their phone using this stupidly simple hack, and spending all their money. If I, a simple office worker guy, can think of something like that, then some bad actor already has.
The fact that Face ID might still be more secure than others is completely irrelevant. As was posted prior, even if every other component of Face ID is made of adamantium, this toilet paper bit makes the entire thing weak.
That's a foolish assumption when you're talking about rare to silly what-ifs. By their nature, biometrics are to be used for security with convenience, not as the ultimate level of security which is why the passcode is used to authenticate before Touch ID or Face ID is enabled; but f you think that Face ID is that insecure then simply don't use it, but you also can't use Touch ID or any other biometric because they can duped when you are passed out a college frat party (as someone used as an example) or when you have an exact, evil twin (as a common trope in television).
By the time you put glasses on an unconscious victim that has been paired with the phone before, it’s easier to quickly chop off a finger and TouchID a device.
@CheeseFreeze ;They don't have to be "paired" AFAICT. Glasses the person has never worn before will work, and even if they don't usually wear glasses. The face itself? Yeah that matters.
By the time you put glasses on an unconscious victim that has been paired with the phone before, it’s easier to quickly chop off a finger and TouchID a device.
@CheeseFreeze They don't have to be "paired" AFAICT. Glasses the person has never worn before will work, and even if they don't usually wear glasses. The face itself? Yeah that matters.
Still no worse than every single other device with fingerprint scanners -- which don't even require gag glasses! So this hoopla is nonsensical since thus far in years of fingerprint use on multiple devices & brands, no one has seen a rash of passed-out-at-a-party robberies of the sort being theorized here. So it's just mental masturbation. Typical FUD.
By the time you put glasses on an unconscious victim that has been paired with the phone before, it’s easier to quickly chop off a finger and TouchID a device.
@CheeseFreeze They don't have to be "paired" AFAICT. Glasses the person has never worn before will work, and even if they don't usually wear glasses. The face itself? Yeah that matters.
Still no worse than every single other device with fingerprint scanners -- which don't even require gag glasses! So this hoopla is nonsensical since thus far in years of fingerprint use on multiple devices & brands, no one has seen a rash of passed-out-at-a-party robberies of the sort being theorized here. So it's just mental masturbation. Typical FUD.
You're correct and I'm pretty sure I said the same thing about it being unimportant. Twice as a matter of fact in this thread so you and I agree. I just use a far more civil post to say so. You should try it.
By the time you put glasses on an unconscious victim that has been paired with the phone before, it’s easier to quickly chop off a finger and TouchID a device.
@CheeseFreeze They don't have to be "paired" AFAICT. Glasses the person has never worn before will work, and even if they don't usually wear glasses. The face itself? Yeah that matters.
Still no worse than every single other device with fingerprint scanners -- which don't even require gag glasses! So this hoopla is nonsensical since thus far in years of fingerprint use on multiple devices & brands, no one has seen a rash of passed-out-at-a-party robberies of the sort being theorized here. So it's just mental masturbation. Typical FUD.
There was a report of a woman using her husband’s finger to unlock his phone when he fell asleep on a plane ride and she discovered a bunch of texts from his mistress, so it very clearly has happened.
As paranoid as everyone here is about the police getting access to their phones, I’m surprised no one has considered the obvious - the police use a taser or medical means to render someone unconscious/incapacitated and then put a pair of glasses on to unlock their phone. Who needs Celebrite?
Their bypass consists of a cheap pair of glasses and two pieces of tape. Approx. $2 worth of material to bypass a billion dollar security system. Whodathunkit? ¯\_(ツ)_/¯
You can also knock a person out and stick their finger on a fingerprint sensor.
You people try so hard.
Uh oh. It's clear to me now that our security could be defeated by a Bender unit.
Let's be clear that this "hack" still needs the face of the person who is already keyed for the device. This only allows a person who wears glasses to allow someone to use their phone on their face to unlock Face ID without their consent if they happen to be unconscious after making a pair of augmented glasses, assuming that their picking up the iPhone doesn't trigger Face ID and the subsequently disabling of Face ID before they can execute this "hack".
You say that but what if I’m walking down the street and someone lifts my phone from my pocket, then they shout “Hey you!” When I look round they stick a pair of glasses with tape on my face and unlock my phone, even if I close my eyes in time!
i wasn’t worried about someone unlocking my phone with TouchID while I was asleep, so I’m certainly not going to worry about this.
A scenario that comes to mind is your partner/friend/someone hanging out partying or whoever passed out and this glasses trickery being used to unlock their phone while they're incapacitated.
What is the likelihood of all those factors lining up? I think I have a better chance of winning the lottery than being passed out drunk at a party and someone wanting to get into my iPhone without my knowledge. In my case that doesn't even require the rigamarole of special glasses (even if I wore glasses) because I'm still using an iPhone 7 Plus and my finger would work just fine when I'm passed out.
Probably right Soli, but I do know of an extended family member with an XR who drinks FAR too much and passes out kinda regularly. Someone unlocking his phone while he's out definitely should not be his biggest concern tho. Can't talk him into rehab either.
So how is this person protected with the more common fingerprint devices? Passed out is passed out.
People try so hard to make mountains out of molehills.
Depends on the OS. I have a File Safe, hidden Private Space and App Lock.
Passed out, no one can access anything in those areas if I consider it sensitive enough to protect using those features with passcodes. And that's why those features exist in the first place.
Their bypass consists of a cheap pair of glasses and two pieces of tape. Approx. $2 worth of material to bypass a billion dollar security system. Whodathunkit? ¯\_(ツ)_/¯
Obvious you haven't thunk this all the way through. The hack requires glasses that the iPhone owner wears or have worn before, to unlock their iPhone. Not just any pair of glasses. When the article states that ........... "If you are wearing glasses, it won't extract 3D information from the eye area when it recognizes the glasses." ...... it means that the software must recognize the glasses as ones that the iPhone owner wears or have worn before, before it will not require the 3D info around the eyes. Info like whether they are open or close.
That negates your thunking that any $1.99 pair of Walgreen bifocals will work. If the iPhone owner have never unlocked their iPhone wearing glasses, then no cheap pair of glasses will ever work with this hack because the software will not recognize the glasses. And if the iPhone owner does wear glasses or worn glasses before to unlock the iPhone, then it requires the hacker to use those glasses, so the software can recognize them as the ones the iPhone owner wears or worn before. Even if they are cheap $1.99 glasses, not any cheap $1.99 gasses will work.
This is why placing tape over the lenses (not the frame) to cover the eyes only works if the software recognizes the glasses and thus bypassing the need for 3D info around the user's eyes when unlocking. If the software doesn't recognize the glasses, then it won't unlock without the 3D info around the eyes.
It is not ....... if the software determines the the user is wearing glasses ........ , that it will bypass gathering the 3D info around the users eyes. That's when the hack would work with a pair of $1.99 glasses and a bigger security threat.
The biggest security risk is if the iPhone owner falls asleep with their glasses on or left nearby, one can get hold of the glasses, place tape over the lens and place it back on the iPhone owner's face to unlock the iPhone. I can see iPhone owners kids doing this to add money into their iTunes accounts.
thunk again, i have only one face id, and i did not wear my glasses when i did it. when i am wearing my glasses, it unlocks the phone. with my sunglasses too.
Comments
Oh, and a pair of glasses, scissors, black tape, and white tape.
Yep, I'm ready to party
Isn't one of the features of Face ID the ability to recognize an authorized user if he or she should don a pair of glasses (not necessarily sunglasses)?
I don't think there's been any claim from the security researchers that the victim's own glasses, and especially ones previously scanned by the system, are needed. I suspect someone grabbed that and ran with it, and it ends up being parroted. I don't believe whoever initially made that claim understands how FaceID is designed to work.
If I'm wrong please do jump in to correct me, like I would have to ask. LOL
This isn't a major issue anyway. Apple will address it.
Just now I tried on 2 pairs of my SO’s sunglasses. 1 pair was similar to mine and the other pair was not. I successfully unlocked using Face ID on the first try with both pairs.
Clearly Face ID did not have to “learn” the “new” sunglasses on my face.
Would these work?
The fact that other security systems have vulnerabilities, and that some of those vulnerabilities are worse than this one, doesn't change the fact that this is a vulnerability, and one that doesn't take expensive tech to implement. Even if Face ID is still more secure than any other system on the planet, this is still a vulnerability, and there will be bad actors who will consider deliberately slipping a drug into some high roller's drink, unlocking their phone using this stupidly simple hack, and spending all their money. If I, a simple office worker guy, can think of something like that, then some bad actor already has.
The fact that Face ID might still be more secure than others is completely irrelevant. As was posted prior, even if every other component of Face ID is made of adamantium, this toilet paper bit makes the entire thing weak.
As paranoid as everyone here is about the police getting access to their phones, I’m surprised no one has considered the obvious - the police use a taser or medical means to render someone unconscious/incapacitated and then put a pair of glasses on to unlock their phone. Who needs Celebrite?
Uh oh. It's clear to me now that our security could be defeated by a Bender unit.
Passed out, no one can access anything in those areas if I consider it sensitive enough to protect using those features with passcodes. And that's why those features exist in the first place.
Options are good.