Slashdot Mirror
Biometric Face Recognition Exploit
clscott writes "A researcher
at the U. of Ottawa has developed an exploit to which most
biometric systems are probably vulnerable.
He developed an algorithm which allows a fairly high
quality image of a person to be regenerated from a
face recognition template. Three commercial face rec.
algorithms were tested and in all cases the image could
masquerade to the algorithm as the target person.
Here are links to a
talk
and a
paper.
Unfortunately, biometric templates are currently considered
to be non-identifiable, much like a password hash.
This means that
legislation gets passed to require
hundreds of millions of people to have their biometrics
encoded onto their passports. This kind of vulnerability
could mean that anyone who reads these documents has access
to the holders fingerprint, iris images, etc."
(P.S. Please no replies from humor-impaired folks.)
Personally I use BioPassword for authenticating my workstation using keystroke recognition, so I seem to be safe from the exploit as yet; holding an image up to a computer seems like it would require considerably less effort than attaching a PS2 device that typed at exactly the correct rate. Nonetheless, I wonder if this discovery will prompt the redesigning of the way user data is stored across the biometric spectrum, going as far as the oft considered-foolproof keystroke systems...
maybe i should extend my tin-foil hat to a tin-foil facemask and a pair of shiny gloves... that way they'll never recognise me!
Sometimes we give criminals to much credit. Again, if it's someone that can go through all three of those, they were going to get past the toughest of Indiana Jones hurdles.
Yell & scream & rant & rave... it's no use... you need a shaaaave ~ Bugs Bunny
The fallibility of biometric systems has been widely known since a scientific expose was released on the topic no less than five years ago.
Not anymore, Palladium is here to save us.
Speak before you think
**Guy snooping on a girl sunbathing**
Want to snoop on your neighbor?? Want to trespass?? Want to know if there are Aliens at Area 51???
GET YOUR OWN BIOMETRIC FACE MASTER TEMPLATE. Guaranteed to *FOOL* all Biometric Scanners. Get the *NEW* and *IMPROVED* BIOMETRIC FACE MASTER TEMPLATE from X10. It will even fool our OWN SECURITY CAMERA!!! Our NEW special offer, buy one BFMT and get PRE-APPROVED Bail for FREE (good for 5000 dollars) ORDER NOW!!!
the point that EVERYbody is missing is that biometric authentication is inherently flawed - it's like a password that cannot be changed. Obviously there are innumerable flaws. How is this news?
He will be in the position of being assumed guilty because everyone know that biometrics don't lie and are completely infallable. Thanks to legislation like the DMCA, no one will testify that the systems are, indeed, very easy to compromise. It'll be illegal to talk about those aspects of security. Not that the law has ever stopped the black hats...
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
Anyone who has done work on computer vision would have guessed this to be so. What would interest me is in how it would be possible to exploit the algorithms, i.e., how bad of a picture can you get away with? Certain images that might not look anything like a face to you or me will quite possibly be able to fool the system.
The passport angle is probably a red herring though. The unreliability of photo identification is already known. Identity theft is simple and easy. Hell, here in New Mexico, we've already been the first state to accept 'Matricula Consular' cards as valid ID for driver's licenses. Matricula Consular cards, of course, are given out by Mexican embassies to undocumented Mexicans living in the US. By 'undocumented,' I mean illegal, of course. Check out the immigration reform site www.vdare.com for some more information on the subject.
You don't understand what the article is talking about. When you enroll in a biometric system, the system itself -doesn't- match based on your picture, but on a 'template' which is created by taking your standard data and performing certain destructive operations to arrive to a much smaller 'template' which can still be used to identify you.
This is very similar to the one-way hashing that happens with unix passwords, only that in this case the hashing is 'lossier' so you have 'confidence scores' instead of a black/white answer.
The article shows that given this 'hashed' value you can recreate an image that has a good chance of not only being authenticated by the same system/algorithm (which already should be very hard, given the one-way nature of the templatization) =BUT= also by different systems!
It also is really interesting how if you have access to the 'confidence score' outputted by the recognizer, you can take arbitrary images and blending/averaging them again come up with an image that works.
This is definitely not useless news and will have quite some implications.
-- the cake is a lie
Make the cameras use x-ray backscattering (as in the earlier story today) of your face. Then in order to spoof the system, a printout of your picture (generated from the hash or not) would not work -- you'd have to build something that recreates your x-ray backscatter and show that to the camera. (I'm assuming that would be much more difficult, like making a sculpture out of meat or something -- anyone in the know wish to shoot down my theory?)
Of course, then there's the issue of getting x-rayed in the face every time you walk in the door...
"A great democracy must be progressive or it will soon cease to be a great democracy." --Theodore Roosevelt
This isn't such a big deal for face recognition systems, because face recognition systems suck at identifying people anyway. Why? First a little tereminology:
With any biometric matcher you have to define a match "tolerance", which defines how close a pair of templates (usually one from a database and one from a livescan) have to be before they're considered to be a match. Set this tolerance too "loose" and you get lots of false positives (matches that shouldn't match), set it too "tight" and you get the opposite, false negatives. The tolerance setting where you get roughly the same number of errors each way is called the equal error point, and the error rate is called the equal error rate (abbreviated ERR for some unfathomable reason).
Well, all current face recognition systems have an ERR that is too high to be useful in nearly any situation, even when used for identity verification, as opposed to the much-harder problem of identification (verification: I say I'm Bill Gates, and the system agrees; identification: The system says I'm Bill Gates, not RMS or anyone else). It's possible that in the future this will change, of course.
However, this doesn't really matter because we already have ready access to an excellent and very widely available face recognition system: the Mark I eyeball. Millions of years of evolution have made people extremely good at identifying and matching human faces. What people aren't so good at (with notable exceptions) is matching a face against a database of thousands of faces they've seen only once, and *that* is something that face recognition systems can do extremely well. They may not be able to decide which faces are a "match", but they can do an excellent job of finding the *closest* faces, which can then be reviewed by the super-duper face-matching algorithm contained in the average person's head.
When automated face recognition is used in that sort of context, spoofs like this one are unlikely to be very useful; if you want to impersonate someone you'd better get a face that's good enough to fool another human. It's doable, certainly, but much harder. And holding a laptop screen in front of your face is likely to raise some suspicions.
Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
At least I don't have to cut someone's fingers off/eyes out/head off/etc. to get past these types of security measures any more.
Whew! What a relief.
Every comment I have read has missed the point!
This is not an exploit designed to show that biometric systems can be fooled or that you could create some kind of fake image that would match an existing one.
The whole point is that this shows that biometric templates are privacy-sensitive. Previously it was thought that they could be stored and promulgated without interfering with anyone's privacy, because it was thought to be infeasible to start from the template and reconstruct personally identifiable information about the subject.
The new paper shows that this is not true; from the templates, you can reconstruct an identifiable picture of the individual. That means that, for example, if you had a bunch of templates of people who went in for an AIDS test, you could re-create pictures of the people who went in, adequate to recognize individuals.
This would therefore interfere with the privacy of those individuals. And that implies that templates need to be subject to the same kind of privacy restrictions as other forms of personally identifying information, a standard to which they have not traditionally been held.
And that's the point of the paper.
The algorithm they used is simple. They use the face recognition
system as "oracle" and present different images until the match
is achieved. The different images are not chosen at random, but
rather evolutionary. That is, a selection of images is presented,
and the best (highest score) is chosen. Recursively, new selections
are derived from the best image, and again presented to the oracle.
According to the article 24,000 images are necessary to achieve
convergence, when the initial images were specifically chosen to
NOT be visually similar to the "target" image.
Some oracles can't be questionned 24,000 times - eg at an airport
or an ATM machine. You might become arrested long before finished.
However, often press releases indicate which company designed the
software for a particular implentation of face recognition. You
can easily purchase other software of the same company (or find
an OEM product) and thus have the same (or very similar) oracle
on your desk at home. There you can do the 24,000 iterations to
get ahold of the "good" image and then proceed to remodel your
face or whatever way you intend to "present" the image to the
real face recognition system.
In my opinion, biometrics just doesn't work for security. Because
everyone is open to see the datasets.
Just look at those stupid press releases of Siemens/Infineon, who
make high-payed security engineers invent ATM cards with finger
print sensors. Owners finger print => money from ATM. Where does
owner leave his finger print, when handling the card? Couldn't be
on the very ATM card, possibly?
Acceptable security requires
a) something you have, and
b) something you know.
When the item you have is stolen, the thief lacks the information
you know. And vice-versa, when the secret is learned (eg shoulder
surfing at ATM), the item you have still misses to complete the
electronic robbery.
Biometrics is something you have, not something you know. That is
the key thing to learn here!
It can be copied, without your noticing, but that doesn't make it
category b). It still is something you have, because everybody has
access to it when he's physically near to you. You can't just shut
up to make it stay secret.
Therefore, biometrics won't (ever) work as long as it's coupled with
other category a) stuff. A biometric dataset can possibly replace a
physical token, but it can NOT replace a PIN code.
I'm happy that this is once again demonstrated, with press coverage.
Marc
This is even easier to compromise than having a keycard or something, as the individual could at least hide it somewhere. They CAN'T hide their face without
A useful password hash (at least one that isn't considered to be plain-text equivalent) is a cryptographic hash. A cryptographic hash is one thought to be np-hard.
...
For instance, take this simple hash:
uint32_t hash;
for (size_t i=0; i < str.length(); i++) {
hash += str[i];
}
Given an input of say, foobar, one would get a hash of 633. Now, if I start with an arbitrary password of say, google, I get a hash of 637.
Since I know that slight adjustments to the word, produce slight differences, I know that I can just start moving letters one space down the alphabet until I find a matching value.
Lets say I choose:
google -} 637
foogle -} 636
fnogle -} 635
fnngle -} 634
fnnfle -} 633 *bingo*
So know I've successfully "exploited" this password protection mechanism.. This is why it's referred to as plain-text equivalent.
A cryptographic hash though has the interesting proper that a small change results in a unpredictable different. For instance, in the same example you might get:
google -} 3453
foogle -} 234543
fnogle -} 234
fnngle -} 23425434
fnnfle -} 53424
There's no reason biometrics can't be cryptographically strong. It's just that the algorithms currently being aren't. That's no big news for anyone with even half a clue stick.
int func(int a);
func((b += 3, b));
"He developed an algorithm which allows a fairly high quality image of a person to be regenerated from a face recognition template..."
This kinda reminds me of the part in Space Quest III, where you gain access to the restricted area inside ScumSoft by holding up a xeroxed picture of the CEO's face to the facial recognition scanner.