CVE-2019-8760 in iOS
Summary
by MITRE
This issue was addressed by improving Face ID machine learning models. This issue is fixed in iOS 13. A 3D model constructed to look like the enrolled user may authenticate via Face ID.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 09/09/2020
The vulnerability described in CVE-2019-8760 represents a significant security flaw in Apple's Face ID authentication system that existed prior to iOS 13. This weakness allowed malicious actors to potentially bypass biometric authentication through the exploitation of machine learning model limitations. The issue specifically targeted the facial recognition algorithms that process 3D facial data to authenticate users, creating a scenario where artificial constructs could deceive the system. The vulnerability exploited the fundamental assumptions made by the Face ID system regarding the uniqueness and variability of human facial features, particularly when those features were replicated through sophisticated 3D modeling techniques.
The technical implementation of this flaw stemmed from the machine learning models used by Face ID to distinguish between enrolled users and unauthorized individuals. These models were susceptible to being fooled by high-fidelity 3D models that accurately replicated the enrolled user's facial characteristics. The vulnerability specifically manifested when attackers could construct physical or digital representations that matched the enrolled user's facial data within the system's tolerance thresholds. This issue falls under the broader category of machine learning model vulnerabilities, particularly those related to adversarial examples and model robustness. The flaw represents a classic case of insufficient model validation and adversarial input testing, where the system failed to properly account for potential manipulations of the input data.
The operational impact of this vulnerability extended beyond simple unauthorized access to devices, potentially compromising sensitive data and system integrity. Users who relied on Face ID for device security faced scenarios where their biometric credentials could be bypassed through relatively accessible means such as 3D printed masks or sophisticated digital representations. This created a risk landscape where attackers with basic 3D modeling capabilities could potentially gain unauthorized access to protected devices. The vulnerability particularly affected enterprise environments where Face ID was used for access control, as it undermined the fundamental security assumptions of biometric authentication systems. The issue also raised concerns about the broader implications for biometric security systems that rely on machine learning models without adequate adversarial testing.
Apple's remediation approach for this vulnerability focused on enhancing the machine learning models that power Face ID authentication. The iOS 13 update implemented improved algorithms that could better distinguish between genuine users and artificial representations, addressing the specific weakness in the facial recognition system. This update likely included modifications to how the system processes 3D facial data, potentially incorporating additional validation checks and increasing the robustness of the machine learning models against adversarial inputs. The solution aligns with established security practices for addressing machine learning vulnerabilities, including the principle of defense in depth and the need for comprehensive adversarial testing. This vulnerability and its resolution demonstrate the importance of continuous security updates and the evolving nature of biometric authentication security. The fix represents a critical improvement in the security posture of Apple's biometric systems, addressing a fundamental flaw that could have enabled unauthorized access to protected devices and data.