Slashdot Mirror

← Back to Stories (view on slashdot.org)

Biometric Face Recognition Exploit

Posted by michael on from the faceoff dept.

clscott writes "A researcher at the U. of Ottawa has developed an exploit to which most biometric systems are probably vulnerable. He developed an algorithm which allows a fairly high quality image of a person to be regenerated from a face recognition template. Three commercial face rec. algorithms were tested and in all cases the image could masquerade to the algorithm as the target person. Here are links to a talk and a paper. Unfortunately, biometric templates are currently considered to be non-identifiable, much like a password hash. This means that legislation gets passed to require hundreds of millions of people to have their biometrics encoded onto their passports. This kind of vulnerability could mean that anyone who reads these documents has access to the holders fingerprint, iris images, etc."

5 of 188 comments (clear)

  1. Other systems too? by mgcsinc · · Score: 4, Interesting

    Personally I use BioPassword for authenticating my workstation using keystroke recognition, so I seem to be safe from the exploit as yet; holding an image up to a computer seems like it would require considerably less effort than attaching a PS2 device that typed at exactly the correct rate. Nonetheless, I wonder if this discovery will prompt the redesigning of the way user data is stored across the biometric spectrum, going as far as the oft considered-foolproof keystroke systems...

    1. Re:Other systems too? by spydir31 · · Score: 3, Interesting

      Keystroke and timing capture/playback is trivial, I wouldn't go trusting that as secure.

  2. One thing that is missing from "the spoof" by adzoox · · Score: 5, Interesting
    A local company to me, has a biometric scan + retina and thumbprint scan, but it also takes your body temp average/signature .... the combination of the three are pretty hard, if not impossible, to spoof. And, anyone that can, was going to break into your system anyway. (With the VERY expensive equipment and extensive knowledge it would take to reproduce all three)

    Sometimes we give criminals to much credit. Again, if it's someone that can go through all three of those, they were going to get past the toughest of Indiana Jones hurdles.

    --
    Yell & scream & rant & rave... it's no use... you need a shaaaave ~ Bugs Bunny
  3. Joe Average User... by Greyfox · · Score: 4, Interesting
    Is going to be awfully put out when the authorities hold him because someone with his biometric pattern did soemthing highly illegal.

    He will be in the position of being assumed guilty because everyone know that biometrics don't lie and are completely infallable. Thanks to legislation like the DMCA, no one will testify that the systems are, indeed, very easy to compromise. It'll be illegal to talk about those aspects of security. Not that the law has ever stopped the black hats...

    --

    I'm trying to teach myself to set people on fire with my mind... Is it hot in here?

  4. How to fix the problem by Atario · · Score: 4, Interesting

    Make the cameras use x-ray backscattering (as in the earlier story today) of your face. Then in order to spoof the system, a printout of your picture (generated from the hash or not) would not work -- you'd have to build something that recreates your x-ray backscatter and show that to the camera. (I'm assuming that would be much more difficult, like making a sculpture out of meat or something -- anyone in the know wish to shoot down my theory?)

    Of course, then there's the issue of getting x-rayed in the face every time you walk in the door...

    --
    "A great democracy must be progressive or it will soon cease to be a great democracy." --Theodore Roosevelt