backtop


Print 45 comment(s) - last by svrep.. on Feb 25 at 6:05 PM


The Asus U2E is among the products that the hackers were easily able to gain logon to by spoofing the facial recognition software. The hackers broke into Lenovo, Toshiba, and ASUSTek systems with ease.  (Source: ASUSTek)
At a major hacking conference participants showed yet another supposedly secure technology just isn't very secure

The problem with any hot technology in the security world is that the desire to raise a product above the competition seems to invariably lead to boastful claims.  Such claims make the technology a high profile target for hackers, and with the bright minds in the field, it takes little time to take many supposedly "unbeatable" countermeasures down.  Thus was the case with RFID, recently shown to be extremely insecure, and now it appears that at least some types of biometrics are headed down the same path.

Nguyen Minh Duc, manager of the application security department at the Bach Khoa Internetwork Security Center at Hanoi University of Technology, is scheduled to demonstrate at Black Hat DC this week how he and his colleagues used multiple methods to hack top biometric facial recognition products and gain easy access to systems.

He and his colleagues hacked Lenovo's Veriface III, ASUS' SmartLogon V1.0.0005, and Toshiba's Face Recognition 2.0.2.32 systems, which come on the companies' webcam equipped laptops.  These Windows XP and Windows Vista laptops use the webcams to scan the user's face, and if it matches the stored image, analyzed by an algorithm, it will log the user on.  Facial recognition is considered by many in the security world to be less of a hassle then fingerprints and more secure than passwords.

The Vietnamese researchers showed that the tech might not be such a good idea, though, by using multiple means to crack it.  The simplest way was to simply use a picture of the person to spoof the webcam into thinking it was the user.  Given the ready availability of images on sites like MySpace and Facebook, this seems to be an easy route to access.

The researchers also showed that they could use a brute force attack generating multiple random fake faces to eventually gain access, for lack of a picture to use the easier route.  States Profesor Duc in his paper on the hack, "The mechanisms used by those three vendors haven't met the security requirements needed by an authentication system, and they cannot wholly protect their users from being tampered."

He continues, "There is no way to fix this vulnerability.  ASUS, Lenovo, and Toshiba have to remove this function from all the models of their laptops ... [they] must give an advisory to users all over the world: Stop using this [biometric] function."

He and his colleagues will be releasing a suite of tools for hacking facial recognition software at the Black Hat DC conference.  The key to using spoofed images, he and his team found, was simply tweaking the lighting and angle of the photo until the system accepts it.  Describes Professor Duc, "Due to the fact that a hacker doesn't know exactly how the face learnt by the system looks like, he has to create a large number of images...let us call this method of attack 'Fake Face Bruteforce.' It is just easy to do that with a wide range of image editing programs at the moment."

He breaks down the weakness further, stating, "One special point we found out when studying those algorithms is that all of them work with images that have already been digitalized and gone through image processing. Consequently, we think that this is the weakest security spot in face recognition systems, generally, and access control system of the three vendors, particularly."

Many government efforts in the U.S. and elsewhere are looking to use facial recognition software as a means to identify citizens in motor vehicles or at sensitive public locations like airports.



Comments     Threshold


This article is over a month old, voting and posting comments is disabled

RE: Remove it?
By JasonMick (blog) on 2/18/2009 9:40:48 AM , Rating: 4
I agree that asking them to take the technology off the market is unrealistic, but the companies should at least issue a warning to their users.

This threat is pretty severe as it offers extremely easy access to a system. Granted, hackers can typically crack most password-protected systems, and even fingerprints systems could in theory be cracked. However, in this case the sheer ease of the hack makes it really dangerous.

Any kid with a printer and access to Facebook or Myspace could infiltrate many systems with these methods. That opens the door to many more intrusions than for a password system that requires at least a small measure of hacking savvy and determination.


RE: Remove it?
By Spoelie on 2/18/2009 9:43:28 AM , Rating: 1
The fact you have to print out each and every try still makes it unfeasible to brute force a large amount of image variations, as suggested in the article.


RE: Remove it?
By BarkHumbug on 2/18/2009 10:15:54 AM , Rating: 3
Why would you have to print every photo? Couldn't you just show the pictures on another laptop with the screen facing towards the camera?


RE: Remove it?
By omnicronx on 2/18/2009 12:45:47 PM , Rating: 2
Surely the software can tell the difference between something static sitting in front of the camera, and something that is constantly refreshing (i.e LCD screen).


RE: Remove it?
By michal1980 on 2/18/2009 2:33:58 PM , Rating: 2
lcd screens dont refresh.


RE: Remove it?
By LRonaldHubbs on 2/19/2009 4:16:36 PM , Rating: 2
lolwut


RE: Remove it?
By Tamale on 2/18/2009 4:40:09 PM , Rating: 2
please suggest how it could possible tell the difference?

all this system does is analyze the light entering the camera. how would it know whether that's coming from another screen or a person's face?


RE: Remove it?
By Tamale on 2/18/2009 4:44:18 PM , Rating: 2
I would think that the biggest reason to remove this feature would be because of twins or even similar-looking siblings. I'm sure there are people out there who look similar enough to set this off that would rather their data remain secure.


"We are going to continue to work with them to make sure they understand the reality of the Internet.  A lot of these people don't have Ph.Ds, and they don't have a degree in computer science." -- RIM co-CEO Michael Lazaridis














botimage
Copyright 2014 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki