A team of Tencent researchers has managed to get past Face ID’s liveness detection with a pair of glasses and some tape. To execute the attack, the researchers placed a strip of black tape on each lens. The tape mimics the outline of the eye, while a dot of white tape in the center imitates the iris.
The technique is effective because the Face ID algorithm does not make a complete scan when the user is wearing glasses. Tencent’s researchers were able to use the “X-Glasses” to unlock someone’s phone and authorize a financial transaction, and presented their findings at the recent Black Hat conference in Las Vegas.
“If you are wearing glasses, [Face ID] won’t extract 3D information from the eye area when it recognizes the glasses,” explained Tencent’s Zhuo Ma.
While the flaw is obviously concerning, it’s not necessarily a complete disaster for Apple. Face ID still requires the rest of the target’s face to make a positive match, so any potential fraudsters would need to force the glasses onto the victim, most likely while they were unconscious. In most cases, that could make it prohibitively difficult to perform the attack without raising suspicion.
Even so, it’s a clear vulnerability, which is why the Tencent researchers have suggested that Apple add identity authentication and change the way it weights audio and video elements to improve liveness detection.
This is not the first time Face ID has been cracked. A group of Vietnamese researchers were able to trick Face ID with 3D-printed masks. Another hacker later came up with a spoof that sounds similar to Tencent’s gambit, but a talk at Black Hat Asia was canceled because the spoof had only been demonstrated on iPhone X devices.