7 comments

[ 3.5 ms ] story [ 11.7 ms ] thread
So will these guys get the 1 million USD award?
That’s doubtful, they need the user to be there (and sleeping) for it to work.
And if that isn’t enough, you have to put glasses on the face of the sleeping or unconscious victim.
That’s because glasses basically bypass the eyes/attention detection feature.

If you don’t have that feature enabled you don’t need the glasses.

That said it would be quite obvious that this attack vector would work, I don’t think that people just realized what happens when you put on glasses and train FaceID to unlock with them.

It took like 10+ pin unlocks until FaceID comfortably recognized both my sun and reading glasses since I don’t wear either that much.

If I never wore them it would likely mean that this would never work at all since there was no pin confirmed unlock which updates the model with glasses on.

The $1m is for "Zero-click kernel code execution with persistence".

Lock screen bypass is worth $100k.

Why are the headlines so often so misleading? Requiring the unwitting cooperation of the victim and treating it as a footnote seems borderline dishonest and certainly clickbait. Yes, I clicked to see what the actual much more nuanced situation might be.
Headlines like this spread misinformation and help drive media distrust. It doesn’t help that most people won’t read past the headline.