Slashdot Mirror
Researchers Hack Biometric Faces
yahoi sends in news from a week or so back: "Vietnamese researchers have cracked the facial recognition technology used for authentication in Lenovo, Asus, and Toshiba laptops in lieu of the standard logon/password. The researchers were able to easily bypass the biometric authentication system built into the laptops by using photos of an authorized user, as well as by presenting multiple phony facial images in brute-force attacks. One of the researchers will demonstrate the hack at Black Hat DC this week. He says the laptop makers should remove the facial biometrics feature from their products because the vulnerability of this technology can't be fixed."
Shouldn't they get charged with hacking the researchers faces off? That is kind of brutal no?
He says the laptop makers should remove the facial biometrics feature from their products because the vulnerability of this technology can't be fixed.
If that's the standard, all security features should be removed. Everything is somewhat vulnerable, and a determined intruder with infinite resource will almost always find a way in. The object is to make this unreasonably hard for most applications.
If you get your laptop lifted at the coffee shop, they better lift your wallet too I guess.
=======
Science -- Sealed, Delivered.
This is a much easier solution than what Nicholas Cage and John Travolta had to go through.
There's no -1 for "I don't get it."
A use for this life-sized photo of Sarah Palin's face.
Any security measure other than a (secure) password for computers are not going to provide much security. Fingerprint scanners can be bypassed, physical dongles can be duplicated, and other things are trivial to remove. A secure password with encryption is the only way that you can really make sure a computer is 100% secure. But most people don't need 100% security. There are very few robbers who would steal a laptop then proceed to attempt to remove data on it via fingerprints or other biometrics. So for the average user, it isn't a security risk. Its like saying that locking your door at night isn't good enough because a determined person can break through the glass.
Taxation is legalized theft, no more, no less.
The researchers were able to easily bypass the biometric authentication system built into the laptops by using photos of an authorized user [...]
Tragically, sadly obvious. Not even a hack, really.
If it's for-profit but free, you're not the customer -- you're the product (e.g., the Slashdot Beta's "audience").
... into laptop authentication device with remaining eye.
My password is 'penis'. If you know what I mean.
the vulnerability of any Password system, if you have sufficient time and access.
Well, I suppose you could sit up a system to self-destruct after a number of failed attempts, but really, how many of us need that?
Even made a point of saying "facial recognition systems aren't all that secure. They can't tell the difference between a person and a photo of the person". Then he proceeded to break into the room by holding up a picture of someone that had access.
http://www.primidi.com/2004/11/26.html
"3D Biometric Facial Recognition Comes To UK"
(2004)
Previously: "Linux... Toward the Sunrise..." Now: "Linux... Toward the-- No, now, part of Every Sunrise"
Good security includes at least two methods of authentication: 1) something you have (smart card), 2) something you know (password/passphrase), and/or 3) something you are (biological property of you). Facial biometrics would be classified as something you are. Combining this technology with a sufficiently complex password in a 2-stage authentication process would be plenty strong for home/consumer use. Of course security is vulnerable when you only use one method. Password crackers have been available for decades.
...your average joe-6-pack criminal isn't going to have the brain cells for black hat cracking stuff like this. If they can't get into the laptop, they are probably going to part it out and sell it for any money they can get. On the other hand, if they have full access and can get wifi somewhere, then having Adeona (http://adeona.cs.washington.edu/) installed might pay off. A chance of getting your laptop back is probably better than none at all... If you're really concerned about security, true crypt + usb key would probably be a better choice imo. I guess it all comes down to how_secure you want your laptop to be...
Once upon a time in a mythical land called Soviet Russia, a hot bowl of grits had Natalie Portman.
Of course it was the fucking Vietcong!
Not for that. But they should be careful because they probably just pissed off a load of laptop and biometrics software manufacturers who will likely lobby for their being arrested if they land in the US, or if they commence their presentation.
Haven't they heard of Russian and other national's programmers being arrested or threatened with arrest if they land here?
But, if they are REALLY good, they've come up with a solution (for however long decent solutions can be expected to last...), and boost Vietnam's programmer prominence. They're doing not too shabby in the shipbuilding industry
Vinashin:
http://www.vinashin.com.vn/english/Capacity.asp
Hyundai-Vinashin:
http://www.hyundai-vinashin.com/
Maybe they can help out with the US TSA/TWIC/Port Security algorithms?
But, if they get arrested, I don't think Vietnam will take this lightly. The US better go light on this one because if the biometric software touted as good enough for consumers is a fraud, or shoddy at best, then these programmers are nothing less and probably a little bit more than responsible whistleblowers in my book. Why stand by and watch vapor/failure/crapware enter the market if it can be headed off?
Previously: "Linux... Toward the Sunrise..." Now: "Linux... Toward the-- No, now, part of Every Sunrise"
Wonder if, when you 'enrolled' your face in the recognition software, you held your hand(s) up in the image forming a symbol -- peace sign, one finger salute, whatever. Then someone would have to capture your image at the instant you authenticated.
It would be customizeable and and changeable, unlike your face, and hard to duplicate blindly.
From my point of view, it seems this could be combatted by using two cameras and depth perception, movement detection. The same way we are able to judge these things. Then the cameras would be able to tell of it was a picture or not. Also, if the cameras could move on a track, and look up, down, left or right, this would make it even more accurate.
Sig: I stole this sig.
Of course they broke it. "Biometric Authentication" is an oxymoron. The correct phrase is "Biometric Identification". A face or a finger are a claim of identity that still needs authentication with some form of secure credential, e.g. a password.
No Id and no authentication is "public". Id but no authentication is "public, but stupid about it".
I'm a Programmer. That's one level above Software Engineer and one level below Engineer.
A sentry won't shoot a spy wearing a paper mask.
Well, Mythbusters got past fingerprint recognition systems with a Xerox and a Sharpie (after getting the fingerprint off of a can or glass, IIRC). My comment at the time to the group I was watching it with was approximately "I hope their stocks drop hugely tomorrow".
Hey, how dare you insult the 3 years old asian boy!
Haven't they heard of Russian and other national's programmers being arrested or threatened with arrest if they land here?
I don't know about them, but I sure haven't. Is this something that's supposed to be common knowledge or do you have a link?
Anyway, what could they be arrested for? They don't appear to have done much besides hold up pictures of other people's faces and notice that the computers were unlocked. Don't tell me companies have made it illegal to notice the huge flaws in their products. I'm cynical, but not paranoid-delusional.
but wouldn't those hackers be pissed if they go through all the trouble to get a good face pic of the user only to find out that there's a password screen immediately after that. i'd say it's a great addition to a layered security system.
In a recent posting I pointed out how fingerprint and retinal scanners could be fooled.
An AC followed up claiming that "devices designed for actual security" also checked "biological signatures" to avoid being fooled by static images, fake fingerprints, and the like.
I responded that security vendors have a long history of claiming their stuff is testing for much more than it actually is, counting on this to deter attempts to actually break it. I expected that, as past behavior is a good predictor of future behavior, it would be reasonable to expect that this is also true of the "biometric" security measures currently sold to both the public and the government.
I'd say this puts the lie to any "biological signature" claim for at least this face recognition product, doesn't it?
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
...they have a nice biometric chianti with some biometric fava beans.
I assume that grandparent is alluding to the Dmitry Sklyarov case. Some years back; but fairly big news, in geek circles, at the time.
I'm pretty sure we demonstrated this technique back in Space Quest III...
Oh come on, I'm not the only one who remembers that game!
-- "Other than that, how was the play Mrs. Lincoln?"
this has been done what over a million times before back in what 2000 or so I rememebr doing this to another program that we had setup in our high school class room
I can't understand the mindset that people must have to actually post trollish crap like this under their username.
It boggles the mind that we as a society are producing a generation of kids that actually takes pride in being anti-social and disruptive. Yet we have the arrogance to wage wars in an effort to make other nations emulate our social paradigm.
Perhaps it's not them that needs liberating from dictatorial governments, it's us that needs liberating from a downward spiral into social implosion.
Yes, yes I'm ready for the off topic mods now.
Reminds me of the episode of Mythbusters where they beat fingerprint biometrics with a photocopier.
if it is not an inside job - how does the thief get his photograph of the "authorized user?"
when the sensor is a webcam - why not include motion or depth perception in the authentication process?
if the camera is sensitive to infrared why not confirm that the heat signature of a live body is present as well?
I guess this can't be perfect, but there might be ways to improve it. For instance, one could combine it with motion detection and refuse to authenticate if the source image was perfectly steady. This would force the attacker to use video. Or, they could use eye-tracking and move a dot around the screen in some pattern, only authenticating if the user was fixating on the dot. This would prevent the attacker from using a video recording.
I don't mind tapping a four digit key out on my keypad after a minute's inactivity on my Mac. Maybe 5. Maybe 10.
That's enough - once you've stolen my Mac, you need to be with it every ten minutes... forever.
Or the thief can just change the PIN to 1337 and have access whenever he wants.
That's about it, hell I did this to my own laptop a few months ago. I took a shitty photo of my face with my shitty cameraphone and held the image up too the camera and it accepted it. The first thing I did after that was disable the facial recognition.
I may agree with what you say, but I will defend to the death your right to face the consequences of saying it.
If you've ever posted a photo of yourself on Twitter, Facebook, Myspace, a blog, or your website, people can easily get a high-quality photo of you without you knowing it.
Just sayin'.
Correct me if I am wrong but I don't believe anyone actually designed facial recognition for "security". Last I checked it was advertised as ease of use. Also since when is using pictures considered hacking???
Once they have your password, you choose another one and that's it. I'd like to see you do that with your face
Hell, I would too, just for the heck of it...
This is my sig.
We all know the three forms of authentication. If I wanted the ultimate in security, I'd attach a fingerprint reader and smart card reader to each workstation, and each user would have to authenticate with a fingerprint, smart card, and password.
Each one of these methods alone is quite weak:
- Passwords will be written down and shared.
- Smart cards will be left on the desk.
- Fingerprints can be beat with a copier.
So while a user goes to lunch, I could go up to their desk, put in the smart card they left behind, type in the password on the sticky note, and beat the fingerprint reader with a fingerprint I lifted off something the user had touched.
What did we learn here? We learned that the boss needs to grow a pair of balls and fire employees who write down passwords and leave smart cards unattended. :-)
If you're in a coffee shop, then the best type of authentication is dance recognition. You place the laptop on a table, push the chair to one side and dance like you're selling nails. As most people are terrible dancers it should be a fairly unique identifier. Especially for Apple owners, who will have to dance like Leonard Cohen because they all wear polo neck sweaters.
Task Mangler
What planet have you been on for the last couple of years? Seriously.. which one?
This has nothing to do with tin-foil-hat paranoid delusions. The GP may have been referring to Dmitry Sklyarov, which another poster just mentioned to you. That was about Adobe. Adobe did/does have huge flaws in it's software and Mr. Sklyarov came to the U.S to demonstrate that Adobe's representations of security were basically just fluff. He was arrested, and it was a HUGE deal.
This is not the only instance either. Anytime somebody dares to demonstrate how a security technology may be flawed those affected companies are using the DMCA and the corrupt/broken legisilative/judicial system to quash any dissemination of data that would reveal their products are snake oil.
Just awhile back there was a posting here on /. where a group of university kids (MIT) were involved in a lawsuit to suppress information they uncovered involving vulnerabilities in another security system.
There are plenty of examples where security is proven to be worthless and those affected financially have resorted to corrupt influences in the government to suppress the information and punish those involved with arrest.
These things I have mentioned to you are not delusional. I would suggest you educate yourself with the facts before accusing somebody of just being paranoid. Especially, since the GP was referring to something factual.
If it can be defeated with a 2D picture, why not up the ante and ensure that the target is 3d by scanning it with a cheap laser? Sure this could be defeated too, by people fabricating mannequins. If this is within your threat model, then you could require the subject to speak a phrase, then scan the series of facial movements for recognition. The black hats would then have to build an android replicant, requiring the white hats to counter with.... um... typed passwords?
What are you talking about? Why would they get arrested for demonstrating the vulnerability of an authentication system??? Sensationalism anyone?
Reverse engineering code to demonstrate flaws is one thing. Testing the software in a complete fashion without breaking into the code is quite another. Get YOUR facts straight.
If facial recognition is being offered as a replacement for passwords, then it is being sold as a replacement for security.
I'll never make that mistake again, reading the experts' opinions. - Feynman
I've been to a few places that use biometric security. They are nothing but a toy to impress the rich dummy customers. I've had to deal with thumbprint scanners on entry doors. You have to scan your thumb AND enter a code. Why? Because it can't readily enough tell the difference between your thumb and someone else's but if you provide a security code as well, then it is reasonably satisfied that it is really you. Of course, if you just entered the code by itself, that would have been just as good. What was annoying was late in the evenings at certain times of the year when glare made it not recognize thumbprints reliably and you had to sit out in the shivering cold trying to shield the sun from hitting the lens while you positioned your thumb just so and keyed the code with your third hand, or told your code to a passerby so he could key it in. Smarter to ask him to shield the kens, but he's gonna see the code anyway at that point. ... I don't tell it to anyone. The problem with passwords is when people do dumb things like share them with someone else, or worse, write them down. Of course, there is no reason to write them down because if is "your" password, you will always remember it. The only reason to write it down is because your idiot company requires you to change it every 30 days and you won't be able to remember it unless you write it down. So for password expiration to be really effective, it needs to expire every 5 minutes, because it will probably take them that long to choose a password that the system will accept, and then write it down.
Obgripe: Stupid banks and their stupid audits. Thanks to some stupid bank, our company just turned on password expiration again. Our policy requires a mixture of uppercase, lowercase, numbers and symbols, must be 8 characters or longer and can't be among the last 12 used. So I have failed login every time I have tried to log in for the last week, because the password that I have to type in is not "my" password but some password that I had to choose to meet the criteria, and of course, I have a hard time remembering it. Why do people seem to think it is a bad idea to let people keep the same password forever? I have had the same password for over 15 years and never had any trouble because
This from a company where I haven't been told what my login is for the ASP but they want me to use it, so whenever I am forced to use it by someone and I tell them I don't have a login, they tell me "Oh, just use mine. The password is 12345". Sigh.
If you are not allowed to question your government then the government has answered your question.
We need facial recognition CAPTCHA's. Something like three physical tasks you need to perform to gain access, eg 'Please place your left index finger on your nose. Accepted. Now please poke out your tongue. Accepted.' etc.
But even that wouldn't be impossible to defeat.
Still... I wonder how a 'Now show us your boobs' instruction would go down :)
nobody has ever had a reason to turn that kinda telephoto lens on me
Whoosh!
OK, I wonder how well those fancy-ass facial recognition systems work on these faces:
http://en.wikipedia.org/wiki/Jem'Hadar
http://en.wikipedia.org/wiki/Jem'Hadar
http://memory-alpha.org/en/wiki/Dreman
http://en.wikipedia.org/wiki/Juggernaut_(Voyager_episode)
http://memory-alpha.org/en/wiki/Vidiian
http://memory-alpha.org/en/wiki/Pakled
http://memory-alpha.org/en/wiki/Kaelon
If the biometrics can pass on these, then maybe they could begin work on testing for hyoo-mons?
But, then, these probably would all pass for each other...
Previously: "Linux... Toward the Sunrise..." Now: "Linux... Toward the-- No, now, part of Every Sunrise"
i think a background check is needed on the hackers...
believing they did something so stupid. I mean... I believe it, but it's way out there. You'd have thought they would have learned their lesson when Mythbusters faked out an expensive fingerprint reader about 4 different ways a couple of years ago. Or when it was reported elsewhere last year that facial recognition could be fooled with simple pictures.
They blew it, big time. They should be held liable.
Not that anyone was forcing you to read it, or chime in on it...
nope, you're not offtopic, you're in the right track
This is only possible because all Asian people look the same.
"Hal ? Its me, David..."
I was under the impression that for any serious application of a biometric (as in "for security reasons"), that the system should check that the subject is alive, to help deter people from chopping off fingers or poking out eyes. eg a fingerprint scanner would check for sub-surface bloodflow.
The fact that this system is fooled by a static image of the person therefore deems it not fit for purpose IMHO, and this finding should be gratefully received by the manufacturers who can now work on improving the system.
He says the laptop makers should remove the facial biometrics feature from their products because the vulnerability of this technology can't be fixed. If that's the standard, all security features should be removed. Everything is somewhat vulnerable, and a determined intruder with infinite resource will almost always find a way in. The object is to make this unreasonably hard for most applications.
There are 2 ways to use biometrics. Either you use it as an alternative to a password, or you use it in addition to a password. In the first case, no matter how well it works you have only DECREASED your security, because the attacker can just choose the weakest link. In the second case, since biometrics are never 100% reliable you are liable to be shut off from your data... and if it is encrypted (as it should be if its security is a concern) this likely means irreversible loss of data.
Once they have your password, you choose another one and that's it. I'd like to see you do that with your face.
HEy ! I think you dicovered what Michael Jackson has been doing al this years !
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
I believe airports and the passport office has invested HUGE amounts on face recognition - even though they know it does not scale and has too many false positives.
Forgetting the fact that they promised IR scanning will reject a photograph, which proved as useful as dunking a silicone finger in warm water. Ignoring the fact that silicone masks also do 3D.
No surprises, the claims are pure BS. Now it remains to see who paid for duff technology.
You need at least 1 facial scar and you also need to grin.
Switch the recognition to instead of a simple face shot, needing to say "My password is XXXX" so the software can watch your facial movements.
If you're dumb enough to let someone video tape you saying "My Password is XXXX", especially if you use a system like this, it's unlikely you have anyhting important enough to break in and steal anyway.
Wanna fight ? Bend over, stick your head up your ass, and fight for air.
Dr. Lector cuts out the middle-man when comes to brute force attacks... then he eats his liver.
Don't tell me companies have made it illegal to notice the huge flaws in their products. I'm cynical, but not paranoid-delusional.
The DMCA make it specifically criminal to distribute information or tools to circumvent security features in software or hardware.
You are not paranoid enough. You are not cynical, you are in fact naive in you understanding of law and the power of corporations in america.
This is a perfect example of what Bruce calls "security theater". Anyone who watches TV has seen that the most secret places use biometrics--fingers, hands, eyes, faces (the only thing untried is butts)-- as the ultimate super-secure access control.
If you believe Hollywood, having this high-tech security on one's laptop is not only super secure but it's super cool! Lenovo et al know exactly what they are doing and who their client is.
I'm a Programmer. That's one level above Software Engineer and one level below Engineer.
For all those captains of the obvious who parrot the author about having a digital camera. Here's a though, were a freaking halloween mask or something when you log on. Take a picture of your dog or something and tape it to your face; whatever. If you are the type who really need facial recognition then take the extra step and turn it into a real password where you only know the password image.
Here's an up-to-date partial list of security researchers who have been threatened with legal action for releasing research on security vulnerabilities:
http://attrition.org/errata/legal_threats/
It should give you an idea of why people are concerned.
End of lesson. You may press the button.
Lock picking kits have been hard to obtain for years too. I'm not usually a fan of mistrusting "the monied interests", but bringing charges due to demonstrations and speeches just rubs me the wrong way. It is akin to SLAPP suits and authors claiming unfair reviews of their work.
All you gotta do is tie a cardboard mask around your face with string, and you're good to go!
Perhaps it's not them that needs liberating from dictatorial governments, it's us that needs liberating from a downward spiral into social implosion.
Idiocracy. That's where our society is heading to.
The human condition http://en.wikipedia.org/wiki/Human_condition is an interesting thing to research, but I find it odd that you take offense that he posted it under a username rather than anonymously. There is no doubt most will find the post to be trollish and uncalled for in the discussion, but how is it really any different than from "Anonymous Cowered" ? The fact that he is not hiding who he is just means that for better or worse, he's not ashamed of who he is (not that the account actually identifies who you are).
I'm not defending the trolling, but I find it ironic that he is more confident in letting people know who he is when trolling than you, who is arguably on the higher ground, rebuking the troll.
"I only know 2 things: The love for me, and the fear of me."
Once they have your password, you choose another one and that's it. I'd like to see you do that with your face.
Plastic surgery.
That you mom?
NO SIG
We aint heading that way. We are already in it.
NO SIG
You want me to get my facts straight? Ummm, OK.
What situation are you referring to in the first place? I also don't understand the difference between reverse engineering code and demonstrating the function of intact code. Both would seem to me to have the same goal, which is to demonstrate that the intended goal of the software is flawed in some way. Neither should be illegal and cause for arrest. It should not be grounds for a lawsuit either.
By all means, please be more specific as to the differences. I would like to know just how one of the situations I mentioned should be illegal or actionable. Help me get my facts straight. Provide your arguments why the arrest was correct and explain the actions.
The face recognize can used to bring up the account, without display the accout name, asking for a password.
Hiding a username have some effect at least.
Allow a user to use face to gain access to a lower security level also a good use.
If a notebook is stolen, requiring a photo to use the notebook help recover that notebook.