Laptop face-recognition tech easy to hack, warns Black Hat researcher
Digital pictures can fool the built-in systems, Vietnamese researcher claims
Computerworld - WASHINGTON — The face-recognition technologies offered by some laptop vendors as a way for users to securely log onto their systems are deeply flawed and can be relatively easily bypassed, a security researcher warned today at the Black Hat security conference here.
Nguyen Minh Duc, a researcher at Bach Khoa Internetwork Security Centre, a Hanoi-based security firm that is commonly known as Bkis, showed how attackers could break into laptops from Lenovo, Toshiba and Asus featuring face-recognition technologies, simply by using digitized images of the actual user of the systems in each case. The attacks were conducted on a Lenovo system with its Veriface III technology, an Asus system featuring its Smart Logon software and a laptop using Toshiba's Face Recognition technology.
The attacks are possible because the underlying technology used by the vendors for face authentication can be easily fooled — meaning it cannot be trusted for secure log-on purposes, Minh Duc said. He claimed that each of the vendors has been notified of the issue and urged them to reconsider the use of face recognition as a secure log-in option until the problem has been fixed.
Toshiba, Lenovo and Asus are among a handful of vendors currently supporting face authentication as a secure log-in option. The idea is to let a user's face serve as a password for gaining access to a system. Instead of logging in with a username and password, users simply sit in front of a built-in camera on the system that captures an image of their face and compares selected features from the image with those previously registered by the user. Users are granted access only if the images match.
Laptop vendors have touted the technology as safer and easier than relying on usernames and passwords.
The problem, according to Minh Duc, is that face-recognition algorithms cannot tell the difference between a digitized image and a real face. Because the algorithms, in effect, process digital information sent via the camera, it is possible to trick the software with an image of a registered user of a system, he said.
An attacker could obtain a photo of the user and tweak the lighting and viewpoint with commonly available image-editing tools, he said. Because a hacker is unlikely to know what the face stored in the system looks like, he might have to create a large number of digital facial images — each with different lighting and viewpoints — to fool the face-recognition technology. An attacker would need to have a reasonable amount of experience with image editing and regeneration to successfully carry out such attacks, Minh Duc added.
At Black Hat, Minh Duc showed how to access laptops from each of the three vendors simply by placing digitized images of actual users in front of the built-in laptop cameras. The approach worked even when the face-recognition software was set to its highest security setting. With the Toshiba face-recognition technology, Minh Duc had to move the images a bit to fool the technology because it looks for facial movement. It is also possible to use black-and-white images to fool one of the systems, he added.
What makes the vulnerability in laptop face-recognition technology particularly dangerous is that compromises are harder to spot, Minh Duc said. An attacker could gain access to a system without the real user ever knowing about it, he claimed.
In comments sent via e-mail, a Lenovo spokeswoman didn't directly dispute any of the claims made by the security researcher. But she said that the company's VeriFace face-recognition technology offers a "convenient" and "accurate" log-in option for users.
"There are trade-offs between security and convenience, and users should balance the need for convenient, quick access through facial log-in with the higher levels of security that are associated with using complex and lengthy passwords or fingerprint readers," the Lenovo spokeswoman wrote.
She added that VeriFace looks for eye movement to distinguish between a still photograph and a real person. And she said that the face-recognition technology, which is offered only in the vendor's consumer laptops, "continues to be upgraded."
Read more about Laptops in Computerworld's Laptops Topic Center.
- Agility & Scalability for Oracle EBS R12 and RAC on VMware vSphere 5 This white paper outlines extensive performance and scalability testing of Oracle EBS applications on a Vblock™ Systems with vSphere 5.
- Oracle and VCE: The Next Step in Integrated Computing Platforms In this ESG Lab review you will learn how a VCE system driven by Oracle, delivers the perfect blend of high performance and...
- Migrate Oracle Apps from RISC/UNIX to Virtualized x86 Ready to move Oracle to a virtualized environment? This brief explains how true converged infrastructure can help you migrate from a RISC/UNIX environment...
- Step Out of the Bull's-Eye Learn about the evolution of targeted attacks, the latest in security intelligence, and strategic steps to keep your business safe.
- Keep Servers Up and Running and Attackers in the Dark An SSL/TLS handshake requires at least 10 times more processing power on a server than on the client. SSL renegotiation attacks can readily...
- On Demand: Mastering the Art of Mobile Content Management Mobile device usage in the enterprise has skyrocketed, and it continues to escalate. IT must answer to users who demand access to their... All Laptops White Papers | Webcasts
Our new weekly Consumerization of IT newsletter covers a wide range of trends including BYOD, smartphones, tablets, MDM, cloud, social and what it all means for IT. Subscribe now and stay up to date!