Print 45 comment(s) - last by svrep.. on Feb 25 at 6:05 PM

The Asus U2E is among the products that the hackers were easily able to gain logon to by spoofing the facial recognition software. The hackers broke into Lenovo, Toshiba, and ASUSTek systems with ease.  (Source: ASUSTek)
At a major hacking conference participants showed yet another supposedly secure technology just isn't very secure

The problem with any hot technology in the security world is that the desire to raise a product above the competition seems to invariably lead to boastful claims.  Such claims make the technology a high profile target for hackers, and with the bright minds in the field, it takes little time to take many supposedly "unbeatable" countermeasures down.  Thus was the case with RFID, recently shown to be extremely insecure, and now it appears that at least some types of biometrics are headed down the same path.

Nguyen Minh Duc, manager of the application security department at the Bach Khoa Internetwork Security Center at Hanoi University of Technology, is scheduled to demonstrate at Black Hat DC this week how he and his colleagues used multiple methods to hack top biometric facial recognition products and gain easy access to systems.

He and his colleagues hacked Lenovo's Veriface III, ASUS' SmartLogon V1.0.0005, and Toshiba's Face Recognition systems, which come on the companies' webcam equipped laptops.  These Windows XP and Windows Vista laptops use the webcams to scan the user's face, and if it matches the stored image, analyzed by an algorithm, it will log the user on.  Facial recognition is considered by many in the security world to be less of a hassle then fingerprints and more secure than passwords.

The Vietnamese researchers showed that the tech might not be such a good idea, though, by using multiple means to crack it.  The simplest way was to simply use a picture of the person to spoof the webcam into thinking it was the user.  Given the ready availability of images on sites like MySpace and Facebook, this seems to be an easy route to access.

The researchers also showed that they could use a brute force attack generating multiple random fake faces to eventually gain access, for lack of a picture to use the easier route.  States Profesor Duc in his paper on the hack, "The mechanisms used by those three vendors haven't met the security requirements needed by an authentication system, and they cannot wholly protect their users from being tampered."

He continues, "There is no way to fix this vulnerability.  ASUS, Lenovo, and Toshiba have to remove this function from all the models of their laptops ... [they] must give an advisory to users all over the world: Stop using this [biometric] function."

He and his colleagues will be releasing a suite of tools for hacking facial recognition software at the Black Hat DC conference.  The key to using spoofed images, he and his team found, was simply tweaking the lighting and angle of the photo until the system accepts it.  Describes Professor Duc, "Due to the fact that a hacker doesn't know exactly how the face learnt by the system looks like, he has to create a large number of images...let us call this method of attack 'Fake Face Bruteforce.' It is just easy to do that with a wide range of image editing programs at the moment."

He breaks down the weakness further, stating, "One special point we found out when studying those algorithms is that all of them work with images that have already been digitalized and gone through image processing. Consequently, we think that this is the weakest security spot in face recognition systems, generally, and access control system of the three vendors, particularly."

Many government efforts in the U.S. and elsewhere are looking to use facial recognition software as a means to identify citizens in motor vehicles or at sensitive public locations like airports.

Comments     Threshold

This article is over a month old, voting and posting comments is disabled

Biometrics are fancy usernames, not passwords.
By davepermen on 2/18/2009 9:33:51 AM , Rating: 2
Thus, they are not more secure than my username. A Biometric information is an information available in public without me giving it into public. finger prints can get grabbed everywhere, or my finger gets cut off. pictures of me can be grabbed everywhere, or my head gets cut off.

passwords are only in my brain, and so far, they can't get out of it except if i want. THAT is security.

Biometrics are a form of identification, not a validation that I GRANT access to something.

there's a huge difference. this difference should be stated everywhere. it's not a security thing, it's an autentification thing. like my bank-card. it's an autentification that that's my conto. but my pin-code is the security showing it's only me, that allows access.

biometrics are stupid. it's better we adapt to the machine than the machine to us. the machine way (text, numbers, etc) are correct or incorrect, and not in a certain margin of error, or not. biometrics are inexact, passwords (and usernames) are exact.

By omgwtf8888 on 2/18/2009 2:43:56 PM , Rating: 2
finger prints can get grabbed everywhere, or my finger gets cut off

I am thinking that if someone is willing to lop off your finger to access your computer, they would probably be willing to keep lopping until you spill the password.


RE: Biometrics are fancy usernames, not passwords.
By mrEvil on 2/18/2009 3:37:56 PM , Rating: 2
No, people are inherently lazy and stupid with passwords. That is why we have to have things like biometrics.

For most people, passwords are not "only" in their brain. They tend to write them down and leave them in plain site - or easily found locations.

Since grabbing fingerprints are so easy, mind spilling the beans on exactly how many you have grabbed, replicated and used?

Maybe if people would not write passwords down, or would choose something a bit more complex than Fluffy's name (still love Spaceballs and the luggage combination) we might not have this problem.

Once you fix the part about people being lazy with passwords or figure out how to educate a couple of billion people on how to properly use them, please let us know. You can probably make a lot of money off of it.

Biometrics and passwords do nothing more than authenticate an account, they do not grant access to anything. For any decent biometric package, you still need some form of identification - be it a badge or account (username in your case).

Your pin-code does not "show" that it is you. It only shows that someone has the right identification and authentication. How do you think skimming works? They read your card information, duplicate it, and then use your card and YOUR pin.

By eldakka on 2/18/2009 7:44:14 PM , Rating: 2
No, people are inherently lazy and stupid with passwords. That is why we have to have things like biometrics.

This is a PEBCAK issue, not a technological issue.

Why people insist on finding technological solutions to PEBCAK issues I have no idea (well, apart from governments trying to get greater control and corporations trying to make $$).

The best solution to PEBCAK issues is education. And, if after education, the PEBCAK issue sill exists for some people, stuff them.

If someone protects their bank account with a password which they then write down, that's their problem.

"I f***ing cannot play Halo 2 multiplayer. I cannot do it." -- Bungie Technical Lead Chris Butcher

Copyright 2016 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki