Print 45 comment(s) - last by svrep.. on Feb 25 at 6:05 PM

The Asus U2E is among the products that the hackers were easily able to gain logon to by spoofing the facial recognition software. The hackers broke into Lenovo, Toshiba, and ASUSTek systems with ease.  (Source: ASUSTek)
At a major hacking conference participants showed yet another supposedly secure technology just isn't very secure

The problem with any hot technology in the security world is that the desire to raise a product above the competition seems to invariably lead to boastful claims.  Such claims make the technology a high profile target for hackers, and with the bright minds in the field, it takes little time to take many supposedly "unbeatable" countermeasures down.  Thus was the case with RFID, recently shown to be extremely insecure, and now it appears that at least some types of biometrics are headed down the same path.

Nguyen Minh Duc, manager of the application security department at the Bach Khoa Internetwork Security Center at Hanoi University of Technology, is scheduled to demonstrate at Black Hat DC this week how he and his colleagues used multiple methods to hack top biometric facial recognition products and gain easy access to systems.

He and his colleagues hacked Lenovo's Veriface III, ASUS' SmartLogon V1.0.0005, and Toshiba's Face Recognition systems, which come on the companies' webcam equipped laptops.  These Windows XP and Windows Vista laptops use the webcams to scan the user's face, and if it matches the stored image, analyzed by an algorithm, it will log the user on.  Facial recognition is considered by many in the security world to be less of a hassle then fingerprints and more secure than passwords.

The Vietnamese researchers showed that the tech might not be such a good idea, though, by using multiple means to crack it.  The simplest way was to simply use a picture of the person to spoof the webcam into thinking it was the user.  Given the ready availability of images on sites like MySpace and Facebook, this seems to be an easy route to access.

The researchers also showed that they could use a brute force attack generating multiple random fake faces to eventually gain access, for lack of a picture to use the easier route.  States Profesor Duc in his paper on the hack, "The mechanisms used by those three vendors haven't met the security requirements needed by an authentication system, and they cannot wholly protect their users from being tampered."

He continues, "There is no way to fix this vulnerability.  ASUS, Lenovo, and Toshiba have to remove this function from all the models of their laptops ... [they] must give an advisory to users all over the world: Stop using this [biometric] function."

He and his colleagues will be releasing a suite of tools for hacking facial recognition software at the Black Hat DC conference.  The key to using spoofed images, he and his team found, was simply tweaking the lighting and angle of the photo until the system accepts it.  Describes Professor Duc, "Due to the fact that a hacker doesn't know exactly how the face learnt by the system looks like, he has to create a large number of images...let us call this method of attack 'Fake Face Bruteforce.' It is just easy to do that with a wide range of image editing programs at the moment."

He breaks down the weakness further, stating, "One special point we found out when studying those algorithms is that all of them work with images that have already been digitalized and gone through image processing. Consequently, we think that this is the weakest security spot in face recognition systems, generally, and access control system of the three vendors, particularly."

Many government efforts in the U.S. and elsewhere are looking to use facial recognition software as a means to identify citizens in motor vehicles or at sensitive public locations like airports.

Comments     Threshold

This article is over a month old, voting and posting comments is disabled

By ceefka on 2/18/2009 9:12:08 AM , Rating: 2
It seems to me the main flaw lies in the system being 2D instead of 3D. It will be much harder to beat if it is 3D. Or even 4D (with gestures or so). Also, it should perhaps combine voice and fingerprint with it. To ultimately recognize a voice it would require a better microphone and audio application that are normally available in laptops. It will cost a small fortune to secure your laptop.

RE: 2D
By strunkwriter on 2/18/2009 9:21:37 AM , Rating: 5
I'm not sure I want to pay a small fortune to protect my bitorrent files of Bleach.

RE: 2D
By tastyratz on 2/18/2009 9:39:44 AM , Rating: 3
What makes you think this would have to be a small fortune?

All they need to do to make this work is put 2 webcams, one on each side of the laptop with a slight angle inward. They could then recognize images in 3d space as well as detect the use of photographs or flat planes for images.

That would invalidate the photo/generation attacks, and add less than $20 in parts. The software would be more complex but it would likely be significantly more secure.

At that point someone could beat the system with a 3d printer, or master sculpting skills - but it would be more secure than a thumb print which can be faked with a high resolution picture of a finger print that you literally lick first (to fool sweat detection) It would likely become a more than reasonable level of security for classified information. Integrating that would be more secure than complex passwords people forget or write on sticky notes.

RE: 2D
By cgilbertmc on 2/18/2009 9:59:02 AM , Rating: 2
To make it even more secure...3D plus read words on the screen so the software would be able to compare mobile images and facial expressions. This eliminates statuary or other 3d rendered objects. You don't even need to include the audio data as a cold would render voice print unrecognizable.

RE: 2D
By Screwballl on 2/18/2009 10:11:59 AM , Rating: 2
Have some dentistry work and working from home for a few days? The numb side of the face will not move properly.
How about older people that have a stroke?
How about young people that got in a fight or was mugged and have a black eye or stitches?

Any change in facial features could render the laptop unusable, regardless if it is 2D, 3D or any combination. This is why a retinal scan plus fingerprint scan is one of the few ways this is rarely affected (save for Demolition Man with eyeball on a pen).

RE: 2D
By tastyratz on 2/18/2009 2:43:22 PM , Rating: 2
In that same argument any changes to "having eyeballs" and "having fingers" could carry the same argument. There is no perfect end all solution.

Barring a real life inspirational event for the next batman movie facial recognition is likely the most sound. Permanent disfigurement is not a common reason for being unable to access files.

While additional audio and facial speech pattern motions are another layer of security, they most likely would place unnecessary burden on the computer as well as complexity within the software raising costs for minimal gains.

It's pretty simple - it's your face. It's not going anywhere and in the event of a real life silence of the lambs re-enactment you will likely not care about your files being safe through speech pattern recognition. Instead, you will be screaming in pain for lack of face.

RE: 2D
By Oralen on 2/18/2009 10:26:03 AM , Rating: 2

A face, two webcams to recognise it's in 3D, and a 5 or 10 seconds delay to check if that face is actually moving.

Then you just ask the user to smile...

It would improve security because then 2D pictures would be out, as would be a 3D statue...

To say that this technology is so flawed that it needs to be removed right now is just arrogant posturing.

Without changing the hardware, you can just update the software to include movement. then the person trying to access the computer would need to carry a big screen with him, at least the size of your face, AND a video of you smiling, to gain access...

More security? Ask the user to blink, at the same time...

Will it be perfect? No. Nothing is perfect. But not bad either without changing the hardware.

This technology is not flawed.

It's version 1.0 that's all...

Now that it has been cracked, expect version 2 to be released...

And when it will be out, expect a schmuck to say that, with the right equipment, like a nuclear warhead, or a tricorder, it might also be cracked...

Security is never perfect. It doesn't need to be. It needs to be good enough for the time being. And it needs to be updated when a flaw is found.

RE: 2D
By BarkHumbug on 2/19/2009 7:45:15 AM , Rating: 2
A face, two webcams to recognise it's in 3D, and a 5 or 10 seconds delay to check if that face is actually moving.

Then you just ask the user to smile...

More security? Ask the user to blink, at the same time...

5 to 10 second delay? Smiling and blinking? And if the system fails to recognize you, you'll have to do it all over again?

A password takes a couple of seconds to type at the most, guess I'll stick with that...

RE: 2D
By TreeDude62 on 2/18/2009 11:35:58 AM , Rating: 2
These types of security measures are not targeted at the average consumer, like yourself. They are for businesses which need data to be as secure as possible.

RE: 2D
By omnicronx on 2/18/2009 12:44:15 PM , Rating: 2
I think the quality of the webcams being used also has a huge impact. These integrated webcams have a resolution no larger than 640x480 and this surely must make a big difference in terms of finding distinguishing characteristics.

I do like your idea of mixing with fingerprint or voice, although I think voice would be a bad idea, as getting a cold could render your workday useless ;)

I like your 3d idea too, perhaps having 3 cameras with one mounted in the center and two mounting on the sides but on an angle. This matched with voice recognition would make it a lot harder to breach.

"This week I got an iPhone. This weekend I got four chargers so I can keep it charged everywhere I go and a land line so I can actually make phone calls." -- Facebook CEO Mark Zuckerberg

Copyright 2016 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki