At last weekend’s Black Hat USA 2019 convention, data scientists from Tencent revealed a vulnerability in Apple’s biometric security. However, the wildly elaborate nature of the hack means that it won’t pose a threat to most iPhone owners. Outside of a Hollywood thriller, it’s hard to imagine when the exploit could even be used.
How to Subvert iPhone’s Face ID
All would-be crooks need to bypass iPhone’s Face ID is access to the unconscious device owner, a pair of glasses, black tape, and a white marker. Thieves first need to apply strips of tape to the center of the lenses and draw white dots on them. Then, place the altered glasses on the sleeping iPhone owner without waking them up. Lastly, a criminal would unlock the smartphone by holding the device up to the Apple user’s face.
Tencent’s researchers said it’s possible to execute their Face ID authentication subversion in 120 seconds.
The group explained the hack works because of a flaw in the iPhone’s biometric security system. To prevent thieves from accessing a device with a photo, Apple-designed cameras scan for three-dimensionality. However, Face ID’s liveness detectors don’t extract 3D information from a user’s eyes if they wear glasses. As such, the corporation’s best-selling smartphone has a definite vulnerability to surprisingly low-tech outside intrusion.
Despite its effectiveness, its unlikely bad actors will deploy this particular hack in the real world. For one thing, it requires a level of personal exposure that would make it unappealing to freedom-loving thieves. Moreover, it’s hard for any real-life Ethan Hunts utilizing the method when there are much easier ways to compromise an iPhone’s data integrity.
Remotely Possible iPhone Hacks
In 2013, German group Chaos Computer Club bypassed the iPhone 5s’s fingerprint scanner using high-definition photos and wood glue. Similarly, another team of German data scientists subverted government biometric authentication using a wax hand. Also, Forbes found the LG G7 ThinQ, OnePlus 6, a Samsung Galaxy S9, and Samsung Galaxy Note 8’s facial recognition tech had a weakness to 3D printed head-related manipulation.
A week after Apple released the iPhone X, a Vietnamese security firm called Bkav cracked Apple’s then-new security measure. The group found they could fool the detectors of the device with a silicon mask outfitted with paper cutouts.
The Federal Bureau of Investigation (FBI) also found a way to exploit Apple’s Face ID security. Last August, the agency arrested a 28-year-old man on suspicion of possessing child pornography. After acquiring a search warrant, the FBI agents demanded the man put his face in front of its iPhone. The suspect consented and later pled guilty to offenses related to the sexual abuse of children.
It’s also worth noting that hackers can gain access to a smartphone’s content without subverting its authentication software. In April, it was revealed hackers infiltrated the Apple App Store using a spyware tool called Exodus. The malware, developed initially as a cyber-security tool, could record conversations, track the user’s location, and copy a phone’s data.
Though novel, Tencent’s iPhone biometric security hack is unlikely to be used in the real world. Thieves, spies, and law enforcement have much simpler ways of subverting a smartphone’s cybersecurity protections.
Accordingly, average iPhone owners shouldn’t worry about being hit with an Impossible Mission Force-style hack.