Face Rec Hacked! Needs "Liveness" Test
Very interesting article in CNet that highlighted an exciting new trend, but also pointed out that it may not be ready for prime time. Many new laptops, including new models from Lenovo, Asus and Toshiba, have started using facial recognition scans as the primary security mechanism for accessing their devices, rather than fingerprints or passwords. Definitely a cool use of new technologies, but as CNet points out, companies need to be sure they get it right before they introduce it to consumers, who would have no way to know their security was compromised.
In this test, security firm Vietnamese Internetwork Security Center (VISC) demonstrated vulnerabilities in laptops' face recognition-based authentication mechanisms that let anyone log in to a computer easily with a "special" photo of the legit owner, even at the highest authentication level. VISC was able to almost instantly produce a photo of CNet Editor Dong Ngo, taken over the laptop's webcam during a Skype chat, that fooled the computer's facial recognition software and successfully logged into a computer registered to Ngo.
Here's how Ngo described the offending photo:
This type of hack is going to be very difficult for taditional facial recognition vendors to overcome. Early algorithms in this biometric field all focus exclusively on comparing one single image to another single image. Even if that image is being extracted from a laptop web camera. There is zero concept of context or "liveness" in this approach, and so it is easily spoofed. 3VR Security, is the only company I know of with a facial recognition platform built from the ground up to analyze streams of faces, like those in a video feed, rather than just single images. With this type of approach, subtle changes in motion, expression, pose, and other varialbles unique to a "live" 3D person can be analyzed at the same time a biomtric match is taking place and the kind of spoofing demonstrated here simply would not work. Maybe it's time for laptop vedors to upgrade their algorithms.
In this test, security firm Vietnamese Internetwork Security Center (VISC) demonstrated vulnerabilities in laptops' face recognition-based authentication mechanisms that let anyone log in to a computer easily with a "special" photo of the legit owner, even at the highest authentication level. VISC was able to almost instantly produce a photo of CNet Editor Dong Ngo, taken over the laptop's webcam during a Skype chat, that fooled the computer's facial recognition software and successfully logged into a computer registered to Ngo.
Here's how Ngo described the offending photo:
About five minutes later, the technician produced a rather unflattering picture of me on a piece of letter-size paper. I could hardly agree that it was my mug on the photo. Nonetheless, when used in front of the laptop's camera, the Y430's authentication software was happy enough with the photo and logged in within a second. Pretty scary.
This type of hack is going to be very difficult for taditional facial recognition vendors to overcome. Early algorithms in this biometric field all focus exclusively on comparing one single image to another single image. Even if that image is being extracted from a laptop web camera. There is zero concept of context or "liveness" in this approach, and so it is easily spoofed. 3VR Security, is the only company I know of with a facial recognition platform built from the ground up to analyze streams of faces, like those in a video feed, rather than just single images. With this type of approach, subtle changes in motion, expression, pose, and other varialbles unique to a "live" 3D person can be analyzed at the same time a biomtric match is taking place and the kind of spoofing demonstrated here simply would not work. Maybe it's time for laptop vedors to upgrade their algorithms.
0 Comments:
Post a Comment
Subscribe to Post Comments [Atom]
<< Home