Biometric Face Recognition Exploit

clscott writes "A researcher at the U. of Ottawa has developed an exploit to which most biometric systems are probably vulnerable. He developed an algorithm which allows a fairly high quality image of a person to be regenerated from a face recognition template. Three commercial face rec. algorithms were tested and in all cases the image could masquerade to the algorithm as the target person. Here are links to a talk and a paper. Unfortunately, biometric templates are currently considered to be non-identifiable, much like a password hash. This means that legislation gets passed to require hundreds of millions of people to have their biometrics encoded onto their passports. This kind of vulnerability could mean that anyone who reads these documents has access to the holders fingerprint, iris images, etc."

Facial recognition

...doesn't work worth a damn anyway. Other forms of biometric authentication are much more reliable.

Re:Facial recognition

[Herr_Nightingale]

the point that EVERYbody is missing is that biometric authentication is inherently flawed - it's like a password that cannot be changed. Obviously there are innumerable flaws. How is this news?

The solution: store biometric data on a Java Card

[ikewillis]

I think this only further proves the need for something like a Java Card

(btw, I don't work for Sun)

A Java Card would allow you to store information (in this case biometric data) in a way that the data could be used in some sort of transformation but the original data is protected.

Were biometric data to be included on Passports, I see no better way to store it than in a Java Card. Portions of the biometric data analysis could be offloaded onto the Java Card itself, until an acceptable and mutual balance of trust and distrust can be achieved between the biometric processing algorithms and the data on the Java Card. In this way the biometric data is never exposed directly to the outside world, so one need not worry about it getting leaked to the "bad guys" even if your passport were stolen.

Does the database depend on obscurity?

[astrashe]

I've been curious about these databases and how they work. They have to take the images and proces them, presumably into some sort of n-tuple. And then they database that.

But how will they handle changes? I mean, people will probably figure out how the recognition works, and learn how to trick it. If you know the scheme, it probably wouldn't be too hard.

If they have a giant database of these n-tuples, generated from photos, will they have to recrunch every photo in the db when they want to improve the system, or respond to holes that emerge? I guess they'll have a lot of computer power, so it's probably not too bad.

The thing that worries me about this stuff is the possibility that the crooks and terrorists will be able to defeat it trivially, but the average citizen will be tracked everywhere he or she goes.

Not a surprise

[Henry+V+.009]

Anyone who has done work on computer vision would have guessed this to be so. What would interest me is in how it would be possible to exploit the algorithms, i.e., how bad of a picture can you get away with? Certain images that might not look anything like a face to you or me will quite possibly be able to fool the system.

The passport angle is probably a red herring though. The unreliability of photo identification is already known. Identity theft is simple and easy. Hell, here in New Mexico, we've already been the first state to accept 'Matricula Consular' cards as valid ID for driver's licenses. Matricula Consular cards, of course, are given out by Mexican embassies to undocumented Mexicans living in the US. By 'undocumented,' I mean illegal, of course. Check out the immigration reform site www.vdare.com for some more information on the subject.

RTFA yourself

[MarcoAtWork]

You don't understand what the article is talking about. When you enroll in a biometric system, the system itself -doesn't- match based on your picture, but on a 'template' which is created by taking your standard data and performing certain destructive operations to arrive to a much smaller 'template' which can still be used to identify you.

This is very similar to the one-way hashing that happens with unix passwords, only that in this case the hashing is 'lossier' so you have 'confidence scores' instead of a black/white answer.

The article shows that given this 'hashed' value you can recreate an image that has a good chance of not only being authenticated by the same system/algorithm (which already should be very hard, given the one-way nature of the templatization) =BUT= also by different systems!

It also is really interesting how if you have access to the 'confidence score' outputted by the recognizer, you can take arbitrary images and blending/averaging them again come up with an image that works.

This is definitely not useless news and will have quite some implications.

Re:RTFA yourself

[dbrutus]

Did you notice that nobody's using biometric systems that aren't also sold to companies. All you really need is to have a front company that says it needs a secure biometric company id system. The same people that sold the US their system will happily sell you an exact copy scaled down to one site. Once you own the system, you can run it to your heart's content. You can get data off of passports and create proper fakes at your leisure.

Total cost for piercing the false security of the system? Way to little to be a barrier to ObL.

Re:RTFA yourself

[MarcoAtWork]

I originally thought the same, but have a look at slide 15, the researcher says:

'Access to templates OR match scores implies access to biometric sample image' (emphasis mine)

I originally thought that you needed both, but after re-reading the presentation a few times it seems the researcher has -TWO- different exploits, one which regenerates things from the biometric data (samples not shown) and the other which takes arbitrary pics and by using the match percentage iterates a few times until it finds something that passes.

If I misunderstood and you need both things, please correct me.

Re:This problem is solved by redundancy

[randyest]

This isn't a problem because most people have extras of the body parts used for most biometric schemes.
It's not a problem at all. On the contrary, it is a really good discovery IMHO. The most important conclusion from this is (from the talk slides):

Biometric software systems should provide yes/no only, with no match score values.

My question is: why would the software systems ever need to give a match score value, instead of a yes/no answer in the first place? It's not like the algorithm developer is there operating the machine and can thus use the score result to help decide what to do with "near" matches. Most of the people using these machines, I would surmise, are pretty clueless about how they work (except in a very general sense, of course), so providing a score result would only be confusing and a potential source of misidentification:

"Hmm, that John Doe matched with a score of 95, and it turned out not to be the guy, so this 94 score can't possibly really be Osama Bin Laden -- go ahead and let him on the plane with his antique ceremonial religious knives."

Either the system thinks it knows the person's face, or it doesn't. That's all it needs to say. Saying just that and nothing more will protect privacy (in that you can't reconstruct the face without the template and quantitative match score results), and it will prevent operator confusion and some types of misapplication.

Not as significant as you might think

[swillden]

This isn't such a big deal for face recognition systems, because face recognition systems suck at identifying people anyway. Why? First a little tereminology:

With any biometric matcher you have to define a match "tolerance", which defines how close a pair of templates (usually one from a database and one from a livescan) have to be before they're considered to be a match. Set this tolerance too "loose" and you get lots of false positives (matches that shouldn't match), set it too "tight" and you get the opposite, false negatives. The tolerance setting where you get roughly the same number of errors each way is called the equal error point, and the error rate is called the equal error rate (abbreviated ERR for some unfathomable reason).

Well, all current face recognition systems have an ERR that is too high to be useful in nearly any situation, even when used for identity verification, as opposed to the much-harder problem of identification (verification: I say I'm Bill Gates, and the system agrees; identification: The system says I'm Bill Gates, not RMS or anyone else). It's possible that in the future this will change, of course.

However, this doesn't really matter because we already have ready access to an excellent and very widely available face recognition system: the Mark I eyeball. Millions of years of evolution have made people extremely good at identifying and matching human faces. What people aren't so good at (with notable exceptions) is matching a face against a database of thousands of faces they've seen only once, and *that* is something that face recognition systems can do extremely well. They may not be able to decide which faces are a "match", but they can do an excellent job of finding the *closest* faces, which can then be reviewed by the super-duper face-matching algorithm contained in the average person's head.

When automated face recognition is used in that sort of context, spoofs like this one are unlikely to be very useful; if you want to impersonate someone you'd better get a face that's good enough to fool another human. It's doable, certainly, but much harder. And holding a laptop screen in front of your face is likely to raise some suspicions.

Re:I don't have one, do you?

[warloch71]

Last time I checked, you didn't need a passport to fly within the US, to buy a car, to rent a movie...big deal I say. You DO know that Planet Earth doesn't stop at the US border, don't you ?

Re:Sounds easy to fix...

[jonatha]

Unlike all the *other* problems with biometrics, like false positives/false negatives/gelatin sheet spoofing, showing the camera a photograph, etc., this one seems like it should be easy to solve: don't store the biometric data, instead, treat it like a password and store a cryptographic hash of it instead.

The paper explicitly covers encryption, etc., of the data.

Any system that uses the data to decide whether or not the presented (fake) pattern matches the template is subject to this attack, i.e., hashing the data won't help.

Simple algorithm. It works.

[jetmarc]

The algorithm they used is simple. They use the face recognition
system as "oracle" and present different images until the match
is achieved. The different images are not chosen at random, but
rather evolutionary. That is, a selection of images is presented,
and the best (highest score) is chosen. Recursively, new selections
are derived from the best image, and again presented to the oracle.

According to the article 24,000 images are necessary to achieve
convergence, when the initial images were specifically chosen to
NOT be visually similar to the "target" image.

Some oracles can't be questionned 24,000 times - eg at an airport
or an ATM machine. You might become arrested long before finished.

However, often press releases indicate which company designed the
software for a particular implentation of face recognition. You
can easily purchase other software of the same company (or find
an OEM product) and thus have the same (or very similar) oracle
on your desk at home. There you can do the 24,000 iterations to
get ahold of the "good" image and then proceed to remodel your
face or whatever way you intend to "present" the image to the
real face recognition system.

In my opinion, biometrics just doesn't work for security. Because
everyone is open to see the datasets.

Just look at those stupid press releases of Siemens/Infineon, who
make high-payed security engineers invent ATM cards with finger
print sensors. Owners finger print => money from ATM. Where does
owner leave his finger print, when handling the card? Couldn't be
on the very ATM card, possibly?

Acceptable security requires

a) something you have, and

b) something you know.

When the item you have is stolen, the thief lacks the information
you know. And vice-versa, when the secret is learned (eg shoulder
surfing at ATM), the item you have still misses to complete the
electronic robbery.

Biometrics is something you have, not something you know. That is
the key thing to learn here!

It can be copied, without your noticing, but that doesn't make it
category b). It still is something you have, because everybody has
access to it when he's physically near to you. You can't just shut
up to make it stay secret.

Therefore, biometrics won't (ever) work as long as it's coupled with
other category a) stuff. A biometric dataset can possibly replace a
physical token, but it can NOT replace a PIN code.

I'm happy that this is once again demonstrated, with press coverage.

Marc

Re:Simple algorithm. It works.

[FreezerJam]

>No. Biometrics is something you *are*.
>A card or other token is something you have.

Your finger and your face are "something you are".

But the biometric is something you have.

I can't "be you". But I can have your measurements. You are not your measurements.

Re:This problem is solved by redundancy

[PaulBu]

Maybe because in different situations different threshold would have to be applied. E.g., if it is a terrorist monitoring camera on a random street corner, it might not be feasible to unleash FBI agents after every guy who matched at 80%, but if that random street corner happens to be in Washington, DC across the street from the White House, 80% confidence might be a reason to trigger further actions.

And if it is a camera in the cash machine and you claim that you are Joe and want to get your $500, you better match Joe's face at, say, 99% (it can also ask you to turn a bit and face the lens if your score is lower than some threshold.

Another example, if an airport screener can realistically check 10 people out of a hundred, she chooses ones with the highest scores. Yes, it might mean that John Doe in your example will be checked, and Osama will be not, IF there are other 9 people in line with scores >=95.

Algorithms used might be the same, but exact policy is implemented by taking scores into account.

There is more than binary yes/no in this world...

Paul B.

P.S. Not that I know anything about the actual numbers or policies, but I can see the value of having the scores available to people who program the machine, but not necessarily to the screeners (if any) who operate them.

Think of what might happen to body parts

[gotr00t]

When will people get concerned that their body parts are now vulnerable? Desperate criminals who want to infiltrate, or governments, for that matter, would find it rather suitable to simply kill a person and remove their face, eyes, fingers, etc., to use in a biometrics device.

This is even easier to compromise than having a keycard or something, as the individual could at least hide it somewhere. They CAN'T hide their face without