During the Black Hat 2019 conference, researchers demonstrated a way to spoof Face ID using nothing more than glasses and tape.
To launch the attack, researchers with Tencent tapped into a feature behind biometrics called “liveness” detection, which is part of the biometric authentication process that sifts through “real” versus “fake” features on people. It works by detecting background noise, response distortion or focus blur. One such biometrics tool that utilizes liveness detection is FaceID, which is designed and utilized by Apple for the iPhone and iPad Pro.
Check It Out: Researchers Spoof Face ID Using Tape and Glasses
It’s possible to protect yourself from this and other forced unlockings of your iPhone by making the face registered with FaceID different to your normai resting face.
How? When you first set up FaceID, tighten your mouth and inflate your upper lip like you’re blowing a trumpet. This has the effect of flaring your nostrils and increasing the distance from mouth to nose, and FaceID records that as your face. Then when you unlock your phone, remember to inflate your lip and hey presto, you have an alternative face for FaceID that’s easy to reproduce but impossible for a bad actor to coerce you into doing.
Try it – it works!
I would hardly call this a spoof. I’m not sure I’d even call it a vulnerability. You need the real user, unconscious. Then you need to have a pair of modified glasses. But wait, in the depths of the article it said if FaceID recognizes the glasses it skips the eye check. That means the user must have a profile in FaceID wearing glasses, and then the BlackHats have to have a pair of exactly the same frames, modified.
Seriously, if they have all that, why not tie up the victim ask them a question and then as they look over to answer, hold up the phone to unlock it. This is a fairly meaningless demonstration, and in the real world it is not a vulnerability that will ever be exploited.