Laptop face-recognition tech easy to hack, warns Black Hat researcher
Digital pictures can fool the built-in systems, Vietnamese researcher claims
Computerworld - WASHINGTON — The face-recognition technologies offered by some laptop vendors as a way for users to securely log onto their systems are deeply flawed and can be relatively easily bypassed, a security researcher warned today at the Black Hat security conference here.
Nguyen Minh Duc, a researcher at Bach Khoa Internetwork Security Centre, a Hanoi-based security firm that is commonly known as Bkis, showed how attackers could break into laptops from Lenovo, Toshiba and Asus featuring face-recognition technologies, simply by using digitized images of the actual user of the systems in each case. The attacks were conducted on a Lenovo system with its Veriface III technology, an Asus system featuring its Smart Logon software and a laptop using Toshiba's Face Recognition technology.
The attacks are possible because the underlying technology used by the vendors for face authentication can be easily fooled — meaning it cannot be trusted for secure log-on purposes, Minh Duc said. He claimed that each of the vendors has been notified of the issue and urged them to reconsider the use of face recognition as a secure log-in option until the problem has been fixed.
Toshiba, Lenovo and Asus are among a handful of vendors currently supporting face authentication as a secure log-in option. The idea is to let a user's face serve as a password for gaining access to a system. Instead of logging in with a username and password, users simply sit in front of a built-in camera on the system that captures an image of their face and compares selected features from the image with those previously registered by the user. Users are granted access only if the images match.
Laptop vendors have touted the technology as safer and easier than relying on usernames and passwords.
The problem, according to Minh Duc, is that face-recognition algorithms cannot tell the difference between a digitized image and a real face. Because the algorithms, in effect, process digital information sent via the camera, it is possible to trick the software with an image of a registered user of a system, he said.
An attacker could obtain a photo of the user and tweak the lighting and viewpoint with commonly available image-editing tools, he said. Because a hacker is unlikely to know what the face stored in the system looks like, he might have to create a large number of digital facial images — each with different lighting and viewpoints — to fool the face-recognition technology. An attacker would need to have a reasonable amount of experience with image editing and regeneration to successfully carry out such attacks, Minh Duc added.
At Black Hat, Minh Duc showed how to access laptops from each of the three vendors simply by placing digitized images of actual users in front of the built-in laptop cameras. The approach worked even when the face-recognition software was set to its highest security setting. With the Toshiba face-recognition technology, Minh Duc had to move the images a bit to fool the technology because it looks for facial movement. It is also possible to use black-and-white images to fool one of the systems, he added.
What makes the vulnerability in laptop face-recognition technology particularly dangerous is that compromises are harder to spot, Minh Duc said. An attacker could gain access to a system without the real user ever knowing about it, he claimed.
In comments sent via e-mail, a Lenovo spokeswoman didn't directly dispute any of the claims made by the security researcher. But she said that the company's VeriFace face-recognition technology offers a "convenient" and "accurate" log-in option for users.
"There are trade-offs between security and convenience, and users should balance the need for convenient, quick access through facial log-in with the higher levels of security that are associated with using complex and lengthy passwords or fingerprint readers," the Lenovo spokeswoman wrote.
She added that VeriFace looks for eye movement to distinguish between a still photograph and a real person. And she said that the face-recognition technology, which is offered only in the vendor's consumer laptops, "continues to be upgraded."
Read more about Laptops in Computerworld's Laptops Topic Center.
- The Business Value of Continuous Delivery Download this whitepaper to learn more about the business value of Continuous Delivery and see why it could be a game changer for...
- Ten Factors Shaping the Future of Application Delivery Download this research report conducted by Enterprise Management Associates (EMA) to learn how those that are seeking to accelerate application delivery are leveraging...
- Software Asset Management: Ensuring Today's Assets Today's trends like BYOD and SaaS are new and exciting in terms of how they will help make our jobs more productive but...
- Trends Shaping Software Management: 2014 Most IT executives recognize the relationship between mobile computing and worker productivity, and have long issued notebook computers and other mobile devices to...
- Live Webcast How to serve up a Grand Slam with a scalable IT Infrastructure for cloud, big data and advanced analytics Register today to attend this webcast, and see examples of how The U.S. Tennis Association, Wimbledon and U.S. Golf Association are using the...
- Live Webcast Security Vulnerabilities Associated With Having Local Administrator Privileges Viewfinity will demonstrate how removing admin rights and granularly managing privileges at the application level reduces the attack surface.
- Live Webcast IBM FlashSystem V840: Leveraging Software-Defined Flash to Drive Your Business With end-to-end, tightly integrated functionality and super-fast flash technology, products like IBM FlashSystem V840 Enterprise Performance Solution empower businesses to leverage the efficiency...
- On-demand webinar - 7 Keys to Service Catalog Implementation Success Watch this webinar to learn 7 crucial keys to make your service catalog a success!
- Transform Your IT Service Management Watch this webinar, to learn how EasyVista can increase IT productivity & efficiency and deliver streamlined & integrated IT Service & Asset Mgmt. All Knowledge Center White Papers | Webcasts