Friday
Feb202009
Facial Recognition Authentication Software on Laptops Still Vulnerable to Hackers
Friday, February 20, 2009 at 12:00PM 
At Black Hat DC yesterday, researchers demonstrated the vulnerability of current biometric facial recognition technology as a log-in security measure. Entitled "Your Face is NOT Your Password: Face Authentication Bypassing Lenovo – Asus – Toshiba," the report describes how the software -- a successor to traditional, typed passwords -- is still in its very early stages.
Lenovo's Veriface III, ASUS' SmartLogon V1.0.0005, and Toshiba's Face Recognition 2.0.2.32 systems all use webcams and algorithms to match a stored image with the user's face in order to log them into the system. However, as the researchers demonstrated, there remain several fairly simple ways for users to bypass this authentication process.
For example, Nguyen Minh Duc, manager of the application security department at the Bach Khoa Internetwork Security Center, a Hanoi-based security organization, described how using an image bearing a slight resemblance to the one stored by the system can allow a user to bypass the software. With millions of photos made accessible online by Facebook, MySpace and other social networking sites, hackers can easily manipulate images in terms of angle and lighting until one works -- even an intermediate PhotoShop user could make the requisite changes.
The team also showed a secondary spoofing technique called "fake face bruteforce," in which hackers generate multiple random faces to eventually gain access to the system. As one reporter recognized, this process parallels the conventional mechanism of trying hundreds, or possibly thousands, of text passwords before the correct combination is found.
Taking into account all of these concerns, it looks like the typed password will remain the preferred authentication method for laptops worldwide -- at least for now.
There are approaches, however, that can address both of these issues. First, dealing with the brute force attack vulnerability is the easiest. Since it's relatively easy for a laptop to know when it is being bombarded with hundreds or thousands of randomly generated and incorrect faces, that kind of activity burst can trigger a response from the facial recogntion software itself. It might shut down in response to the attack, or possibly just slow down. By suspending for longer and longer intervals with each failed access attempt beyond the acceptable threshold, the brute force attack is dragged out over such a long time period that the attack becomes impractical.
As for detecting the difference between live faces and pictures, a so called 'liveness' test can be performed to deter hacking, but is a much more difficult problem. However, I assure you that too can be done, as well. As to how? I need to keep that to myself for now, but let's just say that not all facial recognition technology is so easily hacked.
Reader Comments (9)
great post as usual!
http://venuslovespells.com" rel="nofollow">:) Good point . You are absolutely right.
This article is truely wonderful, thank you for that! Keep up the good work!
Great information! I’ve been looking for something like this for a while now. Thanks!
Greetings! I recently read through your posting and I loved it. We were curious if you are intending to develop additional articles to go along with this one?
Hey This is important info, am into all this... fine story bro
Having searched up and down the internet, the only true source for quality internet marketing and affiliate marketing, being white hat, black hat or any software tools is 100% the Black Hat Ninjas. I recommend this website to anyone who seeks to earn money online.
Freakin smokin blog you got here! Found it on Google, Doing something right!
Nice post, found your blog the other day on Google you seem to talk a lot of sense!