WASHINGTON — The face-recognition technologies offered by some laptop vendors as a way for users to securely log onto their systems are deeply flawed and can be relatively easily bypassed, a security researcher warned today at the Black Hat security conference here.
Nguyen Minh Duc, a researcher at Bach Khoa Internetwork Security Centre, a Hanoi-based security firm that is commonly known as Bkis, showed how attackers could break into laptops from Lenovo, Toshiba and Asus featuring face-recognition technologies, simply by using digitized images of the actual user of the systems in each case. The attacks were conducted on a Lenovo system with its Veriface III technology, an Asus system featuring its Smart Logon software and a laptop using Toshiba's Face Recognition technology.
The attacks are possible because the underlying technology used by the vendors for face authentication can be easily fooled — meaning it cannot be trusted for secure log-on purposes, Minh Duc said. He claimed that each of the vendors has been notified of the issue and urged them to reconsider the use of face recognition as a secure log-in option until the problem has been fixed.
Toshiba, Lenovo and Asus are among a handful of vendors currently supporting face authentication as a secure log-in option. The idea is to let a user's face serve as a password for gaining access to a system. Instead of logging in with a username and password, users simply sit in front of a built-in camera on the system that captures an image of their face and compares selected features from the image with those previously registered by the user. Users are granted access only if the images match.
Laptop vendors have touted the technology as safer and easier than relying on usernames and passwords.
The problem, according to Minh Duc, is that face-recognition algorithms cannot tell the difference between a digitized image and a real face. Because the algorithms, in effect, process digital information sent via the camera, it is possible to trick the software with an image of a registered user of a system, he said.
An attacker could obtain a photo of the user and tweak the lighting and viewpoint with commonly available image-editing tools, he said. Because a hacker is unlikely to know what the face stored in the system looks like, he might have to create a large number of digital facial images — each with different lighting and viewpoints — to fool the face-recognition technology. An attacker would need to have a reasonable amount of experience with image editing and regeneration to successfully carry out such attacks, Minh Duc added.
At Black Hat, Minh Duc showed how to access laptops from each of the three vendors simply by placing digitized images of actual users in front of the built-in laptop cameras. The approach worked even when the face-recognition software was set to its highest security setting. With the Toshiba face-recognition technology, Minh Duc had to move the images a bit to fool the technology because it looks for facial movement. It is also possible to use black-and-white images to fool one of the systems, he added.
What makes the vulnerability in laptop face-recognition technology particularly dangerous is that compromises are harder to spot, Minh Duc said. An attacker could gain access to a system without the real user ever knowing about it, he claimed.
In comments sent via e-mail, a Lenovo spokeswoman didn't directly dispute any of the claims made by the security researcher. But she said that the company's VeriFace face-recognition technology offers a "convenient" and "accurate" log-in option for users.
"There are trade-offs between security and convenience, and users should balance the need for convenient, quick access through facial log-in with the higher levels of security that are associated with using complex and lengthy passwords or fingerprint readers," the Lenovo spokeswoman wrote.
She added that VeriFace looks for eye movement to distinguish between a still photograph and a real person. And she said that the face-recognition technology, which is offered only in the vendor's consumer laptops, "continues to be upgraded."