The problem with any hot technology in the security world is that the desire to raise a product above the competition seems to invariably lead to boastful claims. Such claims make the technology a high profile target for hackers, and with the bright minds in the field, it takes little time to take many supposedly "unbeatable" countermeasures down. Thus was the case with RFID, recently shown to be extremely insecure, and now it appears that at least some types of biometrics are headed down the same path.
Nguyen Minh Duc, manager of the application security department at the Bach Khoa Internetwork Security Center at Hanoi University of Technology, is scheduled to demonstrate at Black Hat DC this week how he and his colleagues used multiple methods to hack top biometric facial recognition products and gain easy access to systems.
He and his colleagues hacked Lenovo's Veriface III, ASUS' SmartLogon V1.0.0005, and Toshiba's Face Recognition 18.104.22.168 systems, which come on the companies' webcam equipped laptops. These Windows XP and Windows Vista laptops use the webcams to scan the user's face, and if it matches the stored image, analyzed by an algorithm, it will log the user on. Facial recognition is considered by many in the security world to be less of a hassle then fingerprints and more secure than passwords.
The Vietnamese researchers showed that the tech might not be such a good idea, though, by using multiple means to crack it. The simplest way was to simply use a picture of the person to spoof the webcam into thinking it was the user. Given the ready availability of images on sites like MySpace and Facebook, this seems to be an easy route to access.
The researchers also showed that they could use a brute force attack generating multiple random fake faces to eventually gain access, for lack of a picture to use the easier route. States Profesor Duc in his paper on the hack, "The mechanisms used by those three vendors haven't met the security requirements needed by an authentication system, and they cannot wholly protect their users from being tampered."
He continues, "There is no way to fix this vulnerability. ASUS, Lenovo, and Toshiba have to remove this function from all the models of their laptops ... [they] must give an advisory to users all over the world: Stop using this [biometric] function."
He and his colleagues will be releasing a suite of tools for hacking facial recognition software at the Black Hat DC conference. The key to using spoofed images, he and his team found, was simply tweaking the lighting and angle of the photo until the system accepts it. Describes Professor Duc, "Due to the fact that a hacker doesn't know exactly how the face learnt by the system looks like, he has to create a large number of images...let us call this method of attack 'Fake Face Bruteforce.' It is just easy to do that with a wide range of image editing programs at the moment."
He breaks down the weakness further, stating, "One special point we found out when studying those algorithms is that all of them work with images that have already been digitalized and gone through image processing. Consequently, we think that this is the weakest security spot in face recognition systems, generally, and access control system of the three vendors, particularly."
Many government efforts in the U.S. and elsewhere are looking to use facial recognition software as a means to identify citizens in motor vehicles or at sensitive public locations like airports.