Friday, February 20, 2009 at 12:00PM
At Black Hat DC yesterday, researchers demonstrated the vulnerability of current biometric facial recognition technology as a log-in security measure. Entitled "Your Face is NOT Your Password: Face Authentication Bypassing Lenovo – Asus – Toshiba," the report describes how the software -- a successor to traditional, typed passwords -- is still in its very early stages.
Lenovo's Veriface III, ASUS' SmartLogon V1.0.0005, and Toshiba's Face Recognition 220.127.116.11 systems all use webcams and algorithms to match a stored image with the user's face in order to log them into the system. However, as the researchers demonstrated, there remain several fairly simple ways for users to bypass this authentication process.
For example, Nguyen Minh Duc, manager of the application security department at the Bach Khoa Internetwork Security Center, a Hanoi-based security organization, described how using an image bearing a slight resemblance to the one stored by the system can allow a user to bypass the software. With millions of photos made accessible online by Facebook, MySpace and other social networking sites, hackers can easily manipulate images in terms of angle and lighting until one works -- even an intermediate PhotoShop user could make the requisite changes.
The team also showed a secondary spoofing technique called "fake face bruteforce," in which hackers generate multiple random faces to eventually gain access to the system. As one reporter recognized, this process parallels the conventional mechanism of trying hundreds, or possibly thousands, of text passwords before the correct combination is found.
Taking into account all of these concerns, it looks like the typed password will remain the preferred authentication method for laptops worldwide -- at least for now.
There are approaches, however, that can address both of these issues. First, dealing with the brute force attack vulnerability is the easiest. Since it's relatively easy for a laptop to know when it is being bombarded with hundreds or thousands of randomly generated and incorrect faces, that kind of activity burst can trigger a response from the facial recogntion software itself. It might shut down in response to the attack, or possibly just slow down. By suspending for longer and longer intervals with each failed access attempt beyond the acceptable threshold, the brute force attack is dragged out over such a long time period that the attack becomes impractical.
As for detecting the difference between live faces and pictures, a so called 'liveness' test can be performed to deter hacking, but is a much more difficult problem. However, I assure you that too can be done, as well. As to how? I need to keep that to myself for now, but let's just say that not all facial recognition technology is so easily hacked.