Print 45 comment(s) - last by svrep.. on Feb 25 at 6:05 PM

The Asus U2E is among the products that the hackers were easily able to gain logon to by spoofing the facial recognition software. The hackers broke into Lenovo, Toshiba, and ASUSTek systems with ease.  (Source: ASUSTek)
At a major hacking conference participants showed yet another supposedly secure technology just isn't very secure

The problem with any hot technology in the security world is that the desire to raise a product above the competition seems to invariably lead to boastful claims.  Such claims make the technology a high profile target for hackers, and with the bright minds in the field, it takes little time to take many supposedly "unbeatable" countermeasures down.  Thus was the case with RFID, recently shown to be extremely insecure, and now it appears that at least some types of biometrics are headed down the same path.

Nguyen Minh Duc, manager of the application security department at the Bach Khoa Internetwork Security Center at Hanoi University of Technology, is scheduled to demonstrate at Black Hat DC this week how he and his colleagues used multiple methods to hack top biometric facial recognition products and gain easy access to systems.

He and his colleagues hacked Lenovo's Veriface III, ASUS' SmartLogon V1.0.0005, and Toshiba's Face Recognition systems, which come on the companies' webcam equipped laptops.  These Windows XP and Windows Vista laptops use the webcams to scan the user's face, and if it matches the stored image, analyzed by an algorithm, it will log the user on.  Facial recognition is considered by many in the security world to be less of a hassle then fingerprints and more secure than passwords.

The Vietnamese researchers showed that the tech might not be such a good idea, though, by using multiple means to crack it.  The simplest way was to simply use a picture of the person to spoof the webcam into thinking it was the user.  Given the ready availability of images on sites like MySpace and Facebook, this seems to be an easy route to access.

The researchers also showed that they could use a brute force attack generating multiple random fake faces to eventually gain access, for lack of a picture to use the easier route.  States Profesor Duc in his paper on the hack, "The mechanisms used by those three vendors haven't met the security requirements needed by an authentication system, and they cannot wholly protect their users from being tampered."

He continues, "There is no way to fix this vulnerability.  ASUS, Lenovo, and Toshiba have to remove this function from all the models of their laptops ... [they] must give an advisory to users all over the world: Stop using this [biometric] function."

He and his colleagues will be releasing a suite of tools for hacking facial recognition software at the Black Hat DC conference.  The key to using spoofed images, he and his team found, was simply tweaking the lighting and angle of the photo until the system accepts it.  Describes Professor Duc, "Due to the fact that a hacker doesn't know exactly how the face learnt by the system looks like, he has to create a large number of images...let us call this method of attack 'Fake Face Bruteforce.' It is just easy to do that with a wide range of image editing programs at the moment."

He breaks down the weakness further, stating, "One special point we found out when studying those algorithms is that all of them work with images that have already been digitalized and gone through image processing. Consequently, we think that this is the weakest security spot in face recognition systems, generally, and access control system of the three vendors, particularly."

Many government efforts in the U.S. and elsewhere are looking to use facial recognition software as a means to identify citizens in motor vehicles or at sensitive public locations like airports.

Comments     Threshold

This article is over a month old, voting and posting comments is disabled

Remove it?
By choadenstein on 2/18/2009 9:15:20 AM , Rating: 5
He continues, "There is no way to fix this vulnerability. ASUS, Lenovo, and Toshiba have to remove this function from all the models of their laptops ... [they] must give an advisory to users all over the world: Stop using this [biometric] function."

While I agree that there may be some weaknesses in the system, as is or even with fixes, saying that companies should just stop using it is ridiculous. It's like saying since someone can pick the lock on my front door that I should just remove the lock. The lock, and the biometric scanning, still have their purposes.

RE: Remove it?
By JasonMick on 2/18/2009 9:40:48 AM , Rating: 4
I agree that asking them to take the technology off the market is unrealistic, but the companies should at least issue a warning to their users.

This threat is pretty severe as it offers extremely easy access to a system. Granted, hackers can typically crack most password-protected systems, and even fingerprints systems could in theory be cracked. However, in this case the sheer ease of the hack makes it really dangerous.

Any kid with a printer and access to Facebook or Myspace could infiltrate many systems with these methods. That opens the door to many more intrusions than for a password system that requires at least a small measure of hacking savvy and determination.

RE: Remove it?
By Spoelie on 2/18/2009 9:43:28 AM , Rating: 1
The fact you have to print out each and every try still makes it unfeasible to brute force a large amount of image variations, as suggested in the article.

RE: Remove it?
By BarkHumbug on 2/18/2009 10:15:54 AM , Rating: 3
Why would you have to print every photo? Couldn't you just show the pictures on another laptop with the screen facing towards the camera?

RE: Remove it?
By omnicronx on 2/18/2009 12:45:47 PM , Rating: 2
Surely the software can tell the difference between something static sitting in front of the camera, and something that is constantly refreshing (i.e LCD screen).

RE: Remove it?
By michal1980 on 2/18/2009 2:33:58 PM , Rating: 2
lcd screens dont refresh.

RE: Remove it?
By LRonaldHubbs on 2/19/2009 4:16:36 PM , Rating: 2

RE: Remove it?
By Tamale on 2/18/2009 4:40:09 PM , Rating: 2
please suggest how it could possible tell the difference?

all this system does is analyze the light entering the camera. how would it know whether that's coming from another screen or a person's face?

RE: Remove it?
By Tamale on 2/18/2009 4:44:18 PM , Rating: 2
I would think that the biggest reason to remove this feature would be because of twins or even similar-looking siblings. I'm sure there are people out there who look similar enough to set this off that would rather their data remain secure.

RE: Remove it?
By MrTeal on 2/18/2009 11:22:34 AM , Rating: 3
I definitely agree. I use the fingerprint reader on my laptop all the time to log in when I pull it out of sleep; it's easier than typing in my password. Assuming the facial recognition is as fast or faster, it sounds like a good solution as well. I'm a student, it's not like I require something that can withstand a determined hacker for days. I just want something that makes it easier to log in while still keeping someone from setting my homepage to meatspin when I'm not there.

RE: Remove it?
By grcunning on 2/18/2009 2:55:56 PM , Rating: 2
You just ruined my appetite. I made it through 5 spins before I could grab the mouse.

RE: Remove it?
By acase on 2/18/2009 5:08:30 PM , Rating: 3
Well where was your hand instead--wait I don't want to know.

RE: Remove it?
By lightfoot on 2/18/2009 6:28:19 PM , Rating: 2
I'm a student, it's not like I require something that can withstand a determined hacker for days.

As a student I'm sure you would prefer security that might deter a roommate for at least a minute or two.
"Hacking" this system requires only a photo - a 5 year old could "hack" this on accident.

RE: Remove it?
By WackyDan on 2/18/2009 11:44:24 AM , Rating: 2
Bottom line, at least from my understanding is that these laptops are consumer models, not business models. I draw the conclusion that the average consumer doesn't need or even are about a high level of security and just likes the simplicity of logging in with this feature.

The vendors it seems know that these facial biometric solutions are not all that secure as they don't bother to place them on their business laptop lines.

RE: Remove it?
By adampash on 2/22/2009 2:53:24 AM , Rating: 2
I was discovered on 12 July 2007
He only practice, not discovered.

By ceefka on 2/18/2009 9:12:08 AM , Rating: 2
It seems to me the main flaw lies in the system being 2D instead of 3D. It will be much harder to beat if it is 3D. Or even 4D (with gestures or so). Also, it should perhaps combine voice and fingerprint with it. To ultimately recognize a voice it would require a better microphone and audio application that are normally available in laptops. It will cost a small fortune to secure your laptop.

RE: 2D
By strunkwriter on 2/18/2009 9:21:37 AM , Rating: 5
I'm not sure I want to pay a small fortune to protect my bitorrent files of Bleach.

RE: 2D
By tastyratz on 2/18/2009 9:39:44 AM , Rating: 3
What makes you think this would have to be a small fortune?

All they need to do to make this work is put 2 webcams, one on each side of the laptop with a slight angle inward. They could then recognize images in 3d space as well as detect the use of photographs or flat planes for images.

That would invalidate the photo/generation attacks, and add less than $20 in parts. The software would be more complex but it would likely be significantly more secure.

At that point someone could beat the system with a 3d printer, or master sculpting skills - but it would be more secure than a thumb print which can be faked with a high resolution picture of a finger print that you literally lick first (to fool sweat detection) It would likely become a more than reasonable level of security for classified information. Integrating that would be more secure than complex passwords people forget or write on sticky notes.

RE: 2D
By cgilbertmc on 2/18/2009 9:59:02 AM , Rating: 2
To make it even more secure...3D plus read words on the screen so the software would be able to compare mobile images and facial expressions. This eliminates statuary or other 3d rendered objects. You don't even need to include the audio data as a cold would render voice print unrecognizable.

RE: 2D
By Screwballl on 2/18/2009 10:11:59 AM , Rating: 2
Have some dentistry work and working from home for a few days? The numb side of the face will not move properly.
How about older people that have a stroke?
How about young people that got in a fight or was mugged and have a black eye or stitches?

Any change in facial features could render the laptop unusable, regardless if it is 2D, 3D or any combination. This is why a retinal scan plus fingerprint scan is one of the few ways this is rarely affected (save for Demolition Man with eyeball on a pen).

RE: 2D
By tastyratz on 2/18/2009 2:43:22 PM , Rating: 2
In that same argument any changes to "having eyeballs" and "having fingers" could carry the same argument. There is no perfect end all solution.

Barring a real life inspirational event for the next batman movie facial recognition is likely the most sound. Permanent disfigurement is not a common reason for being unable to access files.

While additional audio and facial speech pattern motions are another layer of security, they most likely would place unnecessary burden on the computer as well as complexity within the software raising costs for minimal gains.

It's pretty simple - it's your face. It's not going anywhere and in the event of a real life silence of the lambs re-enactment you will likely not care about your files being safe through speech pattern recognition. Instead, you will be screaming in pain for lack of face.

RE: 2D
By Oralen on 2/18/2009 10:26:03 AM , Rating: 2

A face, two webcams to recognise it's in 3D, and a 5 or 10 seconds delay to check if that face is actually moving.

Then you just ask the user to smile...

It would improve security because then 2D pictures would be out, as would be a 3D statue...

To say that this technology is so flawed that it needs to be removed right now is just arrogant posturing.

Without changing the hardware, you can just update the software to include movement. then the person trying to access the computer would need to carry a big screen with him, at least the size of your face, AND a video of you smiling, to gain access...

More security? Ask the user to blink, at the same time...

Will it be perfect? No. Nothing is perfect. But not bad either without changing the hardware.

This technology is not flawed.

It's version 1.0 that's all...

Now that it has been cracked, expect version 2 to be released...

And when it will be out, expect a schmuck to say that, with the right equipment, like a nuclear warhead, or a tricorder, it might also be cracked...

Security is never perfect. It doesn't need to be. It needs to be good enough for the time being. And it needs to be updated when a flaw is found.

RE: 2D
By BarkHumbug on 2/19/2009 7:45:15 AM , Rating: 2
A face, two webcams to recognise it's in 3D, and a 5 or 10 seconds delay to check if that face is actually moving.

Then you just ask the user to smile...

More security? Ask the user to blink, at the same time...

5 to 10 second delay? Smiling and blinking? And if the system fails to recognize you, you'll have to do it all over again?

A password takes a couple of seconds to type at the most, guess I'll stick with that...

RE: 2D
By TreeDude62 on 2/18/2009 11:35:58 AM , Rating: 2
These types of security measures are not targeted at the average consumer, like yourself. They are for businesses which need data to be as secure as possible.

RE: 2D
By omnicronx on 2/18/2009 12:44:15 PM , Rating: 2
I think the quality of the webcams being used also has a huge impact. These integrated webcams have a resolution no larger than 640x480 and this surely must make a big difference in terms of finding distinguishing characteristics.

I do like your idea of mixing with fingerprint or voice, although I think voice would be a bad idea, as getting a cold could render your workday useless ;)

I like your 3d idea too, perhaps having 3 cameras with one mounted in the center and two mounting on the sides but on an angle. This matched with voice recognition would make it a lot harder to breach.

Biometrics are fancy usernames, not passwords.
By davepermen on 2/18/2009 9:33:51 AM , Rating: 2
Thus, they are not more secure than my username. A Biometric information is an information available in public without me giving it into public. finger prints can get grabbed everywhere, or my finger gets cut off. pictures of me can be grabbed everywhere, or my head gets cut off.

passwords are only in my brain, and so far, they can't get out of it except if i want. THAT is security.

Biometrics are a form of identification, not a validation that I GRANT access to something.

there's a huge difference. this difference should be stated everywhere. it's not a security thing, it's an autentification thing. like my bank-card. it's an autentification that that's my conto. but my pin-code is the security showing it's only me, that allows access.

biometrics are stupid. it's better we adapt to the machine than the machine to us. the machine way (text, numbers, etc) are correct or incorrect, and not in a certain margin of error, or not. biometrics are inexact, passwords (and usernames) are exact.

By omgwtf8888 on 2/18/2009 2:43:56 PM , Rating: 2
finger prints can get grabbed everywhere, or my finger gets cut off

I am thinking that if someone is willing to lop off your finger to access your computer, they would probably be willing to keep lopping until you spill the password.


RE: Biometrics are fancy usernames, not passwords.
By mrEvil on 2/18/2009 3:37:56 PM , Rating: 2
No, people are inherently lazy and stupid with passwords. That is why we have to have things like biometrics.

For most people, passwords are not "only" in their brain. They tend to write them down and leave them in plain site - or easily found locations.

Since grabbing fingerprints are so easy, mind spilling the beans on exactly how many you have grabbed, replicated and used?

Maybe if people would not write passwords down, or would choose something a bit more complex than Fluffy's name (still love Spaceballs and the luggage combination) we might not have this problem.

Once you fix the part about people being lazy with passwords or figure out how to educate a couple of billion people on how to properly use them, please let us know. You can probably make a lot of money off of it.

Biometrics and passwords do nothing more than authenticate an account, they do not grant access to anything. For any decent biometric package, you still need some form of identification - be it a badge or account (username in your case).

Your pin-code does not "show" that it is you. It only shows that someone has the right identification and authentication. How do you think skimming works? They read your card information, duplicate it, and then use your card and YOUR pin.

By eldakka on 2/18/2009 7:44:14 PM , Rating: 2
No, people are inherently lazy and stupid with passwords. That is why we have to have things like biometrics.

This is a PEBCAK issue, not a technological issue.

Why people insist on finding technological solutions to PEBCAK issues I have no idea (well, apart from governments trying to get greater control and corporations trying to make $$).

The best solution to PEBCAK issues is education. And, if after education, the PEBCAK issue sill exists for some people, stuff them.

If someone protects their bank account with a password which they then write down, that's their problem.

no surprise
By Moishe on 2/18/2009 9:06:49 AM , Rating: 2
If a camera compares a picture to a picture and then bases access on the similarities... It should be easy to fake. Plenty of people look very similar and the threshold can't be too high or you would be locked out of your own PC if you shaved your mustache or forgot to shave for a few days.

RE: no surprise
By tmouse on 2/18/2009 9:24:30 AM , Rating: 2
It could be made stronger for better security but as the article stated the manufactures wanted the authentication to be "hassle free" which is diametrically opposed to secure. ALL biometric security I have seen allows some form of password regulated access at some level to overcome the obvious problems of temporary damage (shaving bandages ect.) although most use things that are not easily changed (multiple ratios of facial landmarks). The thing I do not get is why do these dweebs have to offer a "complete hacking suite" when they expose the vulnerability? This crosses the line from being a concerned intelligent person to being a bone head who encourages criminal activity.
The last paragraph was, in my mind, completely unnecessary. What does facial recognition systems have to do with laptop security? Their goal is simply to narrow the number of people that need to be personally identified. This just makes security more efficient, so instead of a person scanning the severely limited field of vision trying to remember a few faces; a computer can cover a much larger area and have access to a much larger database of suspects. Of course the false discovery rate will be high but it will be far less than the other problem of missing a true target. Security is then free to check the limited number of potential targets (instead of checking out the really cute non-targets).

throw up gang signs
By alpensiedler on 2/18/2009 1:02:40 PM , Rating: 2
when setting their facial passwords, why don't users do some hand gesture in front of their faces? or contort their faces in some crazy way? that way it's sort of like a secret hand shake that only the computer can recognize. I mean it's not likely that you can simply use lighting changes and different faces to trick the software when it's looking for a picture of you flashing a gang symbol or picking your nose with one eye closed.

plus it would be hilarious to see people cringing and waving their hands to log back into their computers.

RE: throw up gang signs
By b534202 on 2/18/2009 1:24:56 PM , Rating: 2
because this technology is for lazy people who don't even want to remember a password. I don't think they'll want to pick their nose with their thumb just to log in.

Wonder if the OS was any linux distro
By majorpain on 2/18/2009 10:27:35 AM , Rating: 1
I know that getting a webcam to work with linux is a true pain, but my question is if it could be more secure than using any M$ system.

By bobsmith1492 on 2/18/2009 12:19:47 PM , Rating: 2
No "M$" hating here, please... read the article!

The problem is you can use a picture of the user to fake out the security. Linux won't prevent someone from finding your picture.

By A Stoner on 2/18/2009 10:15:08 AM , Rating: 2
It does not matter if you turn this into a 3d scanner, it will still be foolable with a 3d representation of the subject. It is obviously harder to make a 3D model of a human face, but it is no where near impossible and not overly expensive either.

By omgwtf8888 on 2/18/2009 3:01:04 PM , Rating: 2
Facial recognition as used in this case is for access. The more insidious use is for tracking/finding people.

Typically for any high security application, you are not going to be able to put a picture in front of the scanner as there is video monitoring and additional security features. For 90%+ of users this security is fine as it avoids them forgetting passwords and getting locked out. More security intense apps/systems/data will usually have a security token to go along with biometric.

On average we are each caught on surveillance cams 4x per day. Maybe we should all start wearing pictures of other people on faces as masks.

BTW facial hair and such does not effect facial recognition. My understanding is that it calcualate the spans between key features, eyes, chin, bridge of nose, etc.

Monsters vs. aliens
By omgwtf8888 on 2/18/2009 3:05:30 PM , Rating: 2
Did anyone catch the trailer for this new movie? In the one sequence the professor entering the top security sector undergoes a sequence of scans.. the butt scan on what looks like a copier is a hoot!

BUTT scans FTW!

By tygrus on 2/18/2009 5:44:54 PM , Rating: 2
Use a turn of the head to capture several points of reference that must be matched with a natural turn of the head. If a sequence of still pictures are used then the system will recognise the changes and lack of linear turn. You could still defeat the system by using a 3D scan and print.
Add a sequence of eye movements and it should be able to tell it's a real person. You could also have the camera process the surrounding background before, during and after the face recognition to identify paper, displays or hand holding of objects used to fake a scan.
Any subsequent patent royalties for the above ideas would be greatly appreciated.

Multi-Biometric system
By Senju on 2/18/2009 10:57:33 PM , Rating: 2
Why don't they use a Multi-Biometric system approach.
Here are 3 combo technologies they could use;
(1) Face Recognition
(2) Voice Recognition
(3) Password Recognition or contents Recognition

A person sits down in front of the webcam PC. The computer senses a person present and ask the person to voice out their weekly password. The security software, checks the face with the voice and the password that was spoken.

I think this would be hard to hack!

One more proposal
By Senju on 2/18/2009 11:01:45 PM , Rating: 2
Why doesn't Mr. Obama ask congress to insert a unique Biochip (or a barcode on the forehead) in every single Americans head. All PCs will check the Biochip and identify that you is really you.

Why just use the face?
By japlha on 2/19/2009 4:20:34 PM , Rating: 2
Why not have the system use full body (frontal and anterior) pictures instead?

Not all solutions are built the same
By svrep on 2/25/2009 6:05:00 PM , Rating: 2
Certainly the tested implementations of facial recognition have their issues and it's good to know about them. That's a far cry, however, from saying that ALL implementations have the same weaknesses. There's a very strong version from Sensible Vision/Dell Computers, for example (NOT evaluated by the researchers...interesting), that not only has very strong photo resistance, but also a very straight forward second factor feature that all but resolves the issue entirely.

It also takes a bigger picture look at security by locking the desktop automatically when you walk away...a wide open desktop being a much bigger threat than a brute force photo attack since "hacking" an open machine doesn't require any skill or effort at all...just physical proximity!

Of course no solution is perfect or ever will be. Given enough time and access, absolutely any security can by bypassed. It's really a matter of picking the right tools to make this as hard as possible while keeping the computer easy (or at least not too much more difficult) to use in the process.

Full disclosure - I have worked for Sensible Vision for quite some time now. We've successfully used this technology for several years already to protect security critical PCs in hospitals, banks - even a maximum security prison.

By wwwebsurfer on 2/18/2009 6:17:21 PM , Rating: 1
This seems really easy to fix. Just use an IR camera...

"We can't expect users to use common sense. That would eliminate the need for all sorts of legislation, committees, oversight and lawyers." -- Christopher Jennings

Most Popular Articles5 Cases for iPhone 7 and 7 iPhone Plus
September 18, 2016, 10:08 AM
Automaker Porsche may expand range of Panamera Coupe design.
September 18, 2016, 11:00 AM
Walmart may get "Robot Shopping Carts?"
September 17, 2016, 6:01 AM
No More Turtlenecks - Try Snakables
September 19, 2016, 7:44 AM
ADHD Diagnosis and Treatment in Children: Problem or Paranoia?
September 19, 2016, 5:30 AM

Copyright 2016 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki