Friday
Dec052008
Face Rec Hacked! Needs "Liveness" Test
Friday, December 5, 2008 at 12:33PM Very interesting article in CNet that highlighted an exciting new trend, but also pointed out that it may not be ready for prime time. Many new laptops, including new models from Lenovo, Asus and Toshiba, have started using facial recognition scans as the primary security mechanism for accessing their devices, rather than fingerprints or passwords. Definitely a cool use of new technologies, but as CNet points out, companies need to be sure they get it right before they introduce it to consumers, who would have no way to know their security was compromised.
In this test, security firm Vietnamese Internetwork Security Center (VISC) demonstrated vulnerabilities in laptops' face recognition-based authentication mechanisms that let anyone log in to a computer easily with a "special" photo of the legit owner, even at the highest authentication level. VISC was able to almost instantly produce a photo of CNet Editor Dong Ngo, taken over the laptop's webcam during a Skype chat, that fooled the computer's facial recognition software and successfully logged into a computer registered to Ngo.
Here's how Ngo described the offending photo:
This type of hack is going to be very difficult for taditional facial recognition vendors to overcome. Early algorithms in this biometric field all focus exclusively on comparing one single image to another single image. Even if that image is being extracted from a laptop web camera. There is zero concept of context or "liveness" in this approach, and so it is easily spoofed. 3VR Security, is the only company I know of with a facial recognition platform built from the ground up to analyze streams of faces, like those in a video feed, rather than just single images. With this type of approach, subtle changes in motion, expression, pose, and other varialbles unique to a "live" 3D person can be analyzed at the same time a biomtric match is taking place and the kind of spoofing demonstrated here simply would not work. Maybe it's time for laptop vedors to upgrade their algorithms.
In this test, security firm Vietnamese Internetwork Security Center (VISC) demonstrated vulnerabilities in laptops' face recognition-based authentication mechanisms that let anyone log in to a computer easily with a "special" photo of the legit owner, even at the highest authentication level. VISC was able to almost instantly produce a photo of CNet Editor Dong Ngo, taken over the laptop's webcam during a Skype chat, that fooled the computer's facial recognition software and successfully logged into a computer registered to Ngo.
Here's how Ngo described the offending photo:
About five minutes later, the technician produced a rather unflattering picture of me on a piece of letter-size paper. I could hardly agree that it was my mug on the photo. Nonetheless, when used in front of the laptop's camera, the Y430's authentication software was happy enough with the photo and logged in within a second. Pretty scary.
This type of hack is going to be very difficult for taditional facial recognition vendors to overcome. Early algorithms in this biometric field all focus exclusively on comparing one single image to another single image. Even if that image is being extracted from a laptop web camera. There is zero concept of context or "liveness" in this approach, and so it is easily spoofed. 3VR Security, is the only company I know of with a facial recognition platform built from the ground up to analyze streams of faces, like those in a video feed, rather than just single images. With this type of approach, subtle changes in motion, expression, pose, and other varialbles unique to a "live" 3D person can be analyzed at the same time a biomtric match is taking place and the kind of spoofing demonstrated here simply would not work. Maybe it's time for laptop vedors to upgrade their algorithms.
Reader Comments (5)
Amazing Dude, I didn't knew that, thankyou.
Are all your facts correct? I am not trying to be a pain in the behind, though I don't observe how this makes total sense! I often have to check the same small things out for myself on my own Laptop Battery Commentary site, here... http://www.buy-batteries.com" rel="nofollow">Buy-Batteries.com... but what you wrote is important, and I will place a link back to your post. Regards!
Thanks for good article. Hope to see more soon. . . . .
yeah,A good article Thank you!
Thanks for taking the time to chat about this, I feel fervently about this and I benefit from learning about this subject. Please, as you gain information, please add to this blog with more information. I have found it really useful.