Slashdot Mirror

← Back to Stories (view on slashdot.org)

Biometric Face Recognition Exploit

Posted by michael on from the faceoff dept.

clscott writes "A researcher at the U. of Ottawa has developed an exploit to which most biometric systems are probably vulnerable. He developed an algorithm which allows a fairly high quality image of a person to be regenerated from a face recognition template. Three commercial face rec. algorithms were tested and in all cases the image could masquerade to the algorithm as the target person. Here are links to a talk and a paper. Unfortunately, biometric templates are currently considered to be non-identifiable, much like a password hash. This means that legislation gets passed to require hundreds of millions of people to have their biometrics encoded onto their passports. This kind of vulnerability could mean that anyone who reads these documents has access to the holders fingerprint, iris images, etc."

12 of 188 comments (clear)

  1. Other systems too? by mgcsinc · · Score: 4, Interesting

    Personally I use BioPassword for authenticating my workstation using keystroke recognition, so I seem to be safe from the exploit as yet; holding an image up to a computer seems like it would require considerably less effort than attaching a PS2 device that typed at exactly the correct rate. Nonetheless, I wonder if this discovery will prompt the redesigning of the way user data is stored across the biometric spectrum, going as far as the oft considered-foolproof keystroke systems...

    1. Re:Other systems too? by spydir31 · · Score: 3, Interesting

      Keystroke and timing capture/playback is trivial, I wouldn't go trusting that as secure.

  2. One thing that is missing from "the spoof" by adzoox · · Score: 5, Interesting
    A local company to me, has a biometric scan + retina and thumbprint scan, but it also takes your body temp average/signature .... the combination of the three are pretty hard, if not impossible, to spoof. And, anyone that can, was going to break into your system anyway. (With the VERY expensive equipment and extensive knowledge it would take to reproduce all three)

    Sometimes we give criminals to much credit. Again, if it's someone that can go through all three of those, they were going to get past the toughest of Indiana Jones hurdles.

    --
    Yell & scream & rant & rave... it's no use... you need a shaaaave ~ Bugs Bunny
  3. RTFA by Uhh_Duh · · Score: 1, Interesting

    You'll notice that the data is insecure so much as the database the biometric information is stored in is protected.

    All they're saying is that if they have access to that information, they can generate something that can authenticate against it. (DUH!)

    The moral of the story is that if you don't want someone to pretend to be Bob's face, don't give anyone access to the database that has the information on what Bob's face looks like to the biometric scanners. /. has sure been good at wasting my time with useless news lately.

    --
    -- People who hate Windows use Linux. People who love UNIX use BSD.
  4. Joe Average User... by Greyfox · · Score: 4, Interesting
    Is going to be awfully put out when the authorities hold him because someone with his biometric pattern did soemthing highly illegal.

    He will be in the position of being assumed guilty because everyone know that biometrics don't lie and are completely infallable. Thanks to legislation like the DMCA, no one will testify that the systems are, indeed, very easy to compromise. It'll be illegal to talk about those aspects of security. Not that the law has ever stopped the black hats...

    --

    I'm trying to teach myself to set people on fire with my mind... Is it hot in here?

    1. Re:Joe Average User... by Poeir · · Score: 2, Interesting

      Alphonse Bertillon advanced a system which would provide "unique" identification by taking measurements of various bones throughout the body. In 1903, two prisoners at the same facility were found to have almost identical Bertillion measurements, and the system was more or less scrapped. Modern facial recognition systems work in a matter similar to the Bertillion one, by comparing the ratio/measurement between various components of the face, like eyes, ears, nose, et cetera.

      Sir Francis Galton's work regarding fingerprints superceded the Bertillion system, and even that has shown some weaknesses. Overall, biometrics do not appear to be as secure as one would expect to me.

      --
      Sigs are like bumper stickers.
  5. why passports at all? by civilengineer · · Score: 1, Interesting

    With this kind of technology (biometrics), the need for passport should be eliminated, right?
    A machine should look into you eye and make sure you are genuine, eliminating the need for a passport.

    --

    New year Resolution: Don't change sig this year
  6. Re:paranoia by SoSueMe · · Score: 2, Interesting

    Here is a little more on this.

  7. Biometrics 101 by stupendou · · Score: 2, Interesting

    While this is an interesting expolit, the sky isn't falling. Any and all biometric systems can be exploited, and in similar ways.

    However, for this particular exploit to affect passport security and the like, the entire system would have to be automated, so that there would be no one to notice the perpetrator was holding a photo of someone else in front of his face as he walked by.

    To guard against exploits like these in totally automated systems, the data that is fed into the matching system should be digitally signed, so that it is clear where the data is coming from
    (e.g. a real fingerprint sensor, etc.).

    Even so, a fake face or a fake finger can indeed spoof many biometric systems. Luckily, border crossings and airport security has humans in the loop to prevent these kind of exploits (or to accept bribes to allow them!).

  8. How to fix the problem by Atario · · Score: 4, Interesting

    Make the cameras use x-ray backscattering (as in the earlier story today) of your face. Then in order to spoof the system, a printout of your picture (generated from the hash or not) would not work -- you'd have to build something that recreates your x-ray backscatter and show that to the camera. (I'm assuming that would be much more difficult, like making a sculpture out of meat or something -- anyone in the know wish to shoot down my theory?)

    Of course, then there's the issue of getting x-rayed in the face every time you walk in the door...

    --
    "A great democracy must be progressive or it will soon cease to be a great democracy." --Theodore Roosevelt
    1. Re:How to fix the problem by agrippa_cash · · Score: 2, Interesting

      Or some face topography scheme (IR distance sensors etc...), or make people turn their head so that the computer has to validate x number of positions between a frontal and quarter profile. Thermal is too easy to fool. No doubt these methods also could be fooled and likely sucessfully reversed as well. But the more complicated the verification, the more complicated circumvention will have to be. It appears that the currenet scheme is easier to circumvent than impliment.

  9. Sorry, not comparatively hard by mattr · · Score: 2, Interesting
    Nope, check out this.

    An associate of mine runs a small factory in Japan where they make 3d-printers, much of the technology is from Texas-based DTM. Can't find their homepage, I think they might be owned or were by BFGoodrich. Many companies use their Sinterstation, which uses a laser to fuse nylon or metal powder deposited in thin layers inside the production bay.

    The machines are I believe in the hundreds of thousands of dollars each but they are used to make prototypes like mobile phone shells, or molds as for experimental automotive parts.

    Anyway nylon is easy, but they also have a rapidsteel process and the holy grail I understand is titanium, which would allow you to create surgical implants like joint replacements. As you can see in the link above, you can already pretty easily produce a 3d model of your skull from Cat-scan tomography. I've only seen plastic versions, though they might be more appropriate to trying to mimic x-ray backscatter from bone, and much cheaper than going through the trouble of making a mold, pouring metal, and finishing it. Hospitals are probably a lot easier to penetrate than these biometric systems. Come to think of it, you could skip the biometric penetration and just use anthropological techniques to build a face over the skull based on known data about skin depth at different parts of the skull. Painting surface features based on a pictures taken with a telephoto lens would also be cheap compared to the price tag mentioned in this thread for biometric analysis equipment.