Affiliate Disclosure
If you buy through our links, we may get a commission. Read our ethics policy.

Apple's iOS 15 patches Face ID vulnerability, includes other security upgrades

Apple on Monday quietly announced that iOS 15 includes a number of security improvements including enhancements to Face ID's anti-spoofing models.

According to a support document published to coincide with the release of iOS 15, Apple has addressed a Face ID vulnerability in which a 3D model might be used to gain access to certain iPhone and iPad Pro models.

As discovered by Wish Wu of Ant Financial's Light-Year Security Lab, previous iterations of Face ID could be tricked into authenticating a 3D model "constructed to look like the enrolled user." Apple rectified the potential security issue by updating Face ID anti-spoofing models.

The vulnerability is present on all devices with Face ID capabilities not running iOS 15, including iPhone X, iPhone XR, iPhone XS, iPhone 11, iPhone 12, and iPad Pro.

Wu made headlines in 2019 for reportedly uncovering a similar Face ID hack that supposedly defeated the system with a black-and-white printed image and "some tape." He was poised to present a report on the matter at the Black Hat Asia conference that year, but withdrew after Ant discovered inconsistencies with the findings.

The Face ID vulnerability patched today appears to be a separate issue first reported in August.

Also included in iOS 15 are fixes for CoreML, Apple's Neural Engine, memory handling, dfont, a kernel issue and a handful of WebKit bugs, some of which could allow malicious actors to execute arbitrary code on a target device.



2 Comments

bestkeptsecret 13 Years · 4289 comments

I guess you need to be Mission Impossible levels of important for someone to make a 3D model of your face and then steal your phone. 

Then again, I guess anyone contacted my Madame Tussad's is a potential victim!

maltz 13 Years · 507 comments

Weren't at least some of these issues also fixed in 14.8?  Specifically, the WebKit bugs?  Maybe all of them?  I thought part of the idea of allowing users to stay a major version behind was that both versions would get any security updates.