Slashdot Mirror

← Back to Stories (view on slashdot.org)

Researchers Hack Biometric Faces

Posted by kdawson on from the face-off dept.

yahoi sends in news from a week or so back: "Vietnamese researchers have cracked the facial recognition technology used for authentication in Lenovo, Asus, and Toshiba laptops in lieu of the standard logon/password. The researchers were able to easily bypass the biometric authentication system built into the laptops by using photos of an authorized user, as well as by presenting multiple phony facial images in brute-force attacks. One of the researchers will demonstrate the hack at Black Hat DC this week. He says the laptop makers should remove the facial biometrics feature from their products because the vulnerability of this technology can't be fixed."

50 of 244 comments (clear)

  1. hacking? by Anonymous Coward · · Score: 5, Funny

    Shouldn't they get charged with hacking the researchers faces off? That is kind of brutal no?

    1. Re:hacking? by Anonymous Coward · · Score: 5, Funny

      Being an average, white American, I reckon an Asian having a biometric face-secure laptop is just plain stupid. 9 billion Chinese probably all can get into each other's raptops, no shit, G.I. They all sure do look alike, don't they? My Pa sure thinks so. So does his wife, my sister. Man, she's hot.

  2. Ok then... by going_the_2Rpi_way · · Score: 4, Interesting

    He says the laptop makers should remove the facial biometrics feature from their products because the vulnerability of this technology can't be fixed.

    If that's the standard, all security features should be removed. Everything is somewhat vulnerable, and a determined intruder with infinite resource will almost always find a way in. The object is to make this unreasonably hard for most applications.

    If you get your laptop lifted at the coffee shop, they better lift your wallet too I guess.

    --
    =======
    Science -- Sealed, Delivered.
    1. Re:Ok then... by Sir+Groane · · Score: 5, Funny

      Everything is somewhat vulnerable, and a determined intruder with infinite resource will almost always find a way in.

      The point is facial recognition alone is so vulnerable! All you need is a cameraphone and a photo printer - and you can't revoke your face as your password either. At least with fingerprints you can get hacked nearly 10 times (on average) before it becomes a problem.

    2. Re:Ok then... by GrenDel+Fuego · · Score: 5, Insightful

      I definitely disagree here. While passwords can be brute forced given enough time, your face is almost certainly available to someone who has access to get at your computer.

      There is a difference between identification and authentication (your claim of who you are, and your proof of that claim). What you look like is identification.

    3. Re:Ok then... by Jurily · · Score: 4, Insightful

      If that's the standard, all security features should be removed. Everything is somewhat vulnerable, and a determined intruder with infinite resource will almost always find a way in. The object is to make this unreasonably hard for most applications.

      Not quite. Biometrics are horrible for security, because 1. they're not secret, 2. they're not easily replaceable. Once they have a picture of you, facial recognition is broken. Once they have your fingerprint, that's broken as well.

      Once they have your password, you choose another one and that's it. I'd like to see you do that with your face.

    4. Re:Ok then... by spleen_blender · · Score: 5, Interesting

      I don't comment that often but does anyone have any idea on the viability of stereoscopic facial recognition? Wouldn't that make a 3d model required to be presented to the input instead just a 2d one? Or two 2d images offset at the right angle for the distance from the cameras?

    5. Re:Ok then... by ratnerstar · · Score: 3, Insightful

      Biometrics are one part of a good authentication system. But there are always trade-offs: to lower FRR (False Reject Rate, or rate of false negatives) you have to raise FAR (False Accept Rate, or rate of false positives). Iris and fingerprint recognition are mature technologies; they can deliver low false negatives with virtually no false positives. There are well-defined and effective ways of preventing spoofing. But yes, they are only a single component, and should be combined with password and/or physical tokens.

      On the other hand, facial recognition is much, much less developed. Using it for your sole authentication modality is absurd. In order to prevent an extremely high level of false negatives, you'd have to accept an unacceptably high level of false positives. This makes spoofing easy.

      --
      Just because you sold your soul to the devil that needn't make you a teetotaler. --The Devil and Daniel Webster
    6. Re:Ok then... by Jurily · · Score: 4, Insightful

      Iris and fingerprint recognition are mature technologies; they can deliver low false negatives with virtually no false positives.

      Passwords deliver 0% false negatives and 0% false positives. If it rejects you, just type it again.

      There are well-defined and effective ways of preventing spoofing.

      Like what? A hash of my whole eyeball?

      Anyway, nice job twisting my point. Let me repeat:
      1. Not secret. Unique, but not secret. Which means, if someone gets the technology to spoof one, they can spoof all. What, fingerprints? They use them to catch criminals because we leave them all over the place.
      2. Not replaceable. If you find out someone can spoof your iris, what do you do? Grow new ones?

      Just because the technology isn't available yet, don't assume it never will be.

      There is only one thing that biometrics add to security: noone has to tell the Big Boss he can't juse his initials as password anymore. Apparently it's worth it.

    7. Re:Ok then... by macraig · · Score: 2, Funny

      Ummm... balaclava the headwear, not baklava the tasty Greek pastry! I guess you can still wear bakclava for your wife, if that will help, but maybe not in public.

    8. Re:Ok then... by fuzzyfuzzyfungus · · Score: 4, Insightful

      In single-system scenarios, you are correct. Once the password or biometric ID is cracked, the system is cracked, game over, etc. In that sense, they are equivalent. The problem is that your life, which is ultimately the use case you care about, isn't a single-system scenario, it is a long series of systems and accounts and whatnot over your entire life. If a password is broken, and your email account or whatever is compromised, that sucks; but you can generate a new one for future rounds. If a biometric ID is cracked, you can't generate a new one, so any and all systems, for the rest of your life, that are "secured" by biometrics aren't secure. That is where biometrics really falls flat.

    9. Re:Ok then... by Jurily · · Score: 3, Funny

      Maybe its time I got in touch with that bully I knew in kindergarten. He seemed to have a natural gift in that area.

      He had two faces?

    10. Re:Ok then... by Panzor · · Score: 4, Insightful

      While passwords can be brute forced given enough time, your face is almost certainly available to someone who has access to get at your computer.

      Also, you could say that face recognition is just as secure as writing a reasonably long password on your forehead. Someone takes a picture and boom. Access.

      Personally, I refrain from writing my passwords on my forehead - regardless if I can see a suspicious-looking character taking a picture of me square-enough in the face to capture all the digits. And, I also refrain of using or buying face recognition devices...

    11. Re:Ok then... by Rog-Mahal · · Score: 2, Informative

      "One special point we found out when studying those algorithms is that all of them work with images that have already been digitalized and gone through image processing. Consequently, we think that this is the weakest security spot in face recognition systems, generally, and access control system of the three vendors, particularly." (From the article) Doesn't sound like you need an amazing quality photo.

    12. Re:Ok then... by Herby+Sagues · · Score: 4, Insightful

      What puzzles me is the comment in the article: > This form of authentication is considered more convenient than fingerprint scans and more secure than traditional passwords Considered by whom? Their dog? No one that has three working neurons can think that how your face looks is a stronger secret than some word you have in your mind. When they announced this "security mechanism" every security specialist I know said it was worse than nothing, it didn't even qualify as weak security, and it would be abandoned within months. It is sad when security features of computers are designed in the marketing department.

    13. Re:Ok then... by Anonymous Coward · · Score: 2, Insightful

      Exactly how is someone going to get photo of you of sufficient quality to fool the recognition system without you knowing about it? You'll see the person taking the photo, and thus be able to deal with the potential breach before it ever happens.

      Apparently you've never seen a telephoto lens in action.

    14. Re:Ok then... by ITEric · · Score: 2

      ...Facial recognition after a fight with the neighbor...

      I had been thinking about this aspect - and although I believe the facial recognition systems aren't yet ready for prime-time, at least if you're subjected to this hack, it could save your face!

      --
      The most exciting phrase to hear in science, the one that heralds new discoveries, is not 'Eureka!' but 'That's funny...
    15. Re:Ok then... by SEE · · Score: 2, Funny

      And yes, C-level's love biometric stuff because they don't have to remember passwords.

      They should just all get Ident-i-Eeze cards.

    16. Re:Ok then... by morgan_greywolf · · Score: 2, Funny

      No, no, no. I'm pretty sure the parent was talking about wearing baklava! It's really, really sticky, see, so if someone tries to take a picture of you, they'll probably end up stuck to your face!

      --
      My blog
    17. Re:Ok then... by francium+de+neobie · · Score: 2, Insightful

      You leave your fingerprints everywhere, so it's pretty much public information. Now the only thing you're relying on is the attacker's inability, or choosing not waste time, to reproduce your fingerprint - but that's security by obscurity, isn't it?

      So based on this argument, card + code is just as secure as card + code + fingerprint. The fingerprint step is there to make you feel safe rather than really make you safe.

    18. Re:Ok then... by macraig · · Score: 2, Funny

      Assuming that's the ONLY place you're wearing it, that is.

    19. Re:Ok then... by Traxton1 · · Score: 2, Interesting
      Here's a high quality image of your face from your Facebook page. I mean, I'd have to join the Sacramento network, but its pretty easy if I wanted to.

      http://profile.ak.facebook.com/v224/628/60/s501905303_4113.jpg

      I imagine macraig.homedns.org and vulcan tourist.info had pics too but you can't seem to keep them up. I like the cartoon image of you that you usually use though.

      --
      Twitter.com/TrentonHyatt
  3. Ummm... by Darkness404 · · Score: 3, Insightful

    Any security measure other than a (secure) password for computers are not going to provide much security. Fingerprint scanners can be bypassed, physical dongles can be duplicated, and other things are trivial to remove. A secure password with encryption is the only way that you can really make sure a computer is 100% secure. But most people don't need 100% security. There are very few robbers who would steal a laptop then proceed to attempt to remove data on it via fingerprints or other biometrics. So for the average user, it isn't a security risk. Its like saying that locking your door at night isn't good enough because a determined person can break through the glass.

    --
    Taxation is legalized theft, no more, no less.
    1. Re:Ummm... by QuantumG · · Score: 3, Funny

      Heh, if you have physical access the game is over. "Lock your terminal" is merely a poor defense against bored pranksters (beating their head in if they touch your machine is the only effective deterrent).

      --
      How we know is more important than what we know.
    2. Re:Ummm... by xwizbt · · Score: 2, Interesting

      My iPhone locks itself after a minute and demands a four digit passcode.

      It's not the perfect solution, I know, but I don't mind tapping a four digit key out on my keypad after a minute's inactivity on my Mac. Maybe 5. Maybe 10.

      That's enough - once you've stolen my Mac, you need to be with it every ten minutes... forever.

    3. Re:Ummm... by TheDugong · · Score: 2, Insightful

      Then you do not have physical access.

  4. ... Wow. by Valdrax · · Score: 3, Interesting

    The researchers were able to easily bypass the biometric authentication system built into the laptops by using photos of an authorized user [...]

    Tragically, sadly obvious. Not even a hack, really.

    --
    If it's for-profit but free, you're not the customer -- you're the product (e.g., the Slashdot Beta's "audience").
  5. Last season in Burn Notice by HomerJ · · Score: 3, Interesting

    Even made a point of saying "facial recognition systems aren't all that secure. They can't tell the difference between a person and a photo of the person". Then he proceeded to break into the room by holding up a picture of someone that had access.

    1. Re:Last season in Burn Notice by ari_j · · Score: 3, Insightful

      And Mythbusters has fingerprint scanners covered. As others have pointed out, use your faceprint or fingerprint for identification and a password or the like for authentication. Hell, even in Star Trek you have to say "Authorization Picard Alpha Two" in Picard's voice to blow up the ship.

    2. Re:Last season in Burn Notice by citizenr · · Score: 2, Informative

      yes, and in last episode they showed how you can defeat cellphone jammer using Ethernet patchcord connected into mainframe as an antena .. this show is full of GARBAGE Science

      --
      Who logs in to gdm? Not I, said the duck.
  6. I'm against facial recognition because... by Coder4Life · · Score: 3, Insightful

    ...your average joe-6-pack criminal isn't going to have the brain cells for black hat cracking stuff like this. If they can't get into the laptop, they are probably going to part it out and sell it for any money they can get. On the other hand, if they have full access and can get wifi somewhere, then having Adeona (http://adeona.cs.washington.edu/) installed might pay off. A chance of getting your laptop back is probably better than none at all... If you're really concerned about security, true crypt + usb key would probably be a better choice imo. I guess it all comes down to how_secure you want your laptop to be...

    --
    Once upon a time in a mythical land called Soviet Russia, a hot bowl of grits had Natalie Portman.
  7. Re:hacking? Huh? by davidsyes · · Score: 2, Interesting

    Not for that. But they should be careful because they probably just pissed off a load of laptop and biometrics software manufacturers who will likely lobby for their being arrested if they land in the US, or if they commence their presentation.

    Haven't they heard of Russian and other national's programmers being arrested or threatened with arrest if they land here?

    But, if they are REALLY good, they've come up with a solution (for however long decent solutions can be expected to last...), and boost Vietnam's programmer prominence. They're doing not too shabby in the shipbuilding industry

    Vinashin:

    http://www.vinashin.com.vn/english/Capacity.asp

    Hyundai-Vinashin:

    http://www.hyundai-vinashin.com/

    Maybe they can help out with the US TSA/TWIC/Port Security algorithms?

    But, if they get arrested, I don't think Vietnam will take this lightly. The US better go light on this one because if the biometric software touted as good enough for consumers is a fraud, or shoddy at best, then these programmers are nothing less and probably a little bit more than responsible whistleblowers in my book. Why stand by and watch vapor/failure/crapware enter the market if it can be headed off?

    --
    Previously: "Linux... Toward the Sunrise..." Now: "Linux... Toward the-- No, now, part of Every Sunrise"
  8. Gesture + facial recognition by Anonymous Coward · · Score: 4, Interesting

    Wonder if, when you 'enrolled' your face in the recognition software, you held your hand(s) up in the image forming a symbol -- peace sign, one finger salute, whatever. Then someone would have to capture your image at the instant you authenticated.

    It would be customizeable and and changeable, unlike your face, and hard to duplicate blindly.

    1. Re:Gesture + facial recognition by Burning1 · · Score: 4, Insightful

      ...and carries the same level of security as speaking your password every time you type it.

      Seriously, biometrics are a bad idea, unless also combined with other methods of authentication.

  9. You expect us to be surprised? by thethibs · · Score: 2, Interesting

    Of course they broke it. "Biometric Authentication" is an oxymoron. The correct phrase is "Biometric Identification". A face or a finger are a claim of identity that still needs authentication with some form of secure credential, e.g. a password.

    No Id and no authentication is "public". Id but no authentication is "public, but stupid about it".

    --
    I'm a Programmer. That's one level above Software Engineer and one level below Engineer.
  10. Mythbusters & fingerprint recognition by mattack2 · · Score: 2, Insightful

    Well, Mythbusters got past fingerprint recognition systems with a Xerox and a Sharpie (after getting the fingerprint off of a can or glass, IIRC). My comment at the time to the group I was watching it with was approximately "I hope their stocks drop hugely tomorrow".

    1. Re:Mythbusters & fingerprint recognition by Cobra+Spaz · · Score: 2, Informative

      Fingerprint readers are very easy to crack if you have someones finger print. The last company I worked for they had to types of fingerprint readers. You could crack them both by placing a scanned image of the fingerprint on the reader. The only difference between the two was that one of them only scanned if it sensed enough heat and the of scan plate was grounded by being touched. So it was slightly more difficult to crack. It took awhile to find the right paper that allowed enough heat to come through and then we pass the grounding check by barely touching the edge of the scanner with one of our fingers. Biometric protection is great when it is part of a multi-layered scheme however by itself it is too easy to bypass. I still think that facial recognition and/or a fingerprint scanner is a great addition to a strong password, but it should never be used by itself to begin with.

  11. well sure by Drumforyourlife · · Score: 3, Insightful

    but wouldn't those hackers be pissed if they go through all the trouble to get a good face pic of the user only to find out that there's a password screen immediately after that. i'd say it's a great addition to a layered security system.

    1. Re:well sure by Quantumstate · · Score: 2, Insightful

      It is a good addition but the problem is that users will not see it that way. Many people will assume that since they have this wonderful technology there is not any need for a password as well.

  12. Re:hacking? Huh? by fuzzyfuzzyfungus · · Score: 2, Informative

    I assume that grandparent is alluding to the Dmitry Sklyarov case. Some years back; but fairly big news, in geek circles, at the time.

  13. Re:Terrible News! Please read! by Anonymous Coward · · Score: 4, Insightful

    I can't understand the mindset that people must have to actually post trollish crap like this under their username.

    It boggles the mind that we as a society are producing a generation of kids that actually takes pride in being anti-social and disruptive. Yet we have the arrogance to wage wars in an effort to make other nations emulate our social paradigm.

    Perhaps it's not them that needs liberating from dictatorial governments, it's us that needs liberating from a downward spiral into social implosion.

    Yes, yes I'm ready for the off topic mods now.

  14. The Internet? by Jon.Laslow · · Score: 5, Insightful

    If you've ever posted a photo of yourself on Twitter, Facebook, Myspace, a blog, or your website, people can easily get a high-quality photo of you without you knowing it.

    Just sayin'.

    1. Re:The Internet? by Bearhouse · · Score: 2, Funny

      If you've ever posted a photo of yourself on Twitter, Facebook, Myspace, a blog, or your website, people can easily get a high-quality photo of you without you knowing it.

      You've seen a high quality photo on Facebook?

  15. Dance recognition by Centurix · · Score: 2, Funny

    If you're in a coffee shop, then the best type of authentication is dance recognition. You place the laptop on a table, push the chair to one side and dance like you're selling nails. As most people are terrible dancers it should be a fairly unique identifier. Especially for Apple owners, who will have to dance like Leonard Cohen because they all wear polo neck sweaters.

    --
    Task Mangler
  16. Re:hacking? Huh? by EdIII · · Score: 5, Insightful

    Don't tell me companies have made it illegal to notice the huge flaws in their products. I'm cynical, but not paranoid-delusional.

    What planet have you been on for the last couple of years? Seriously.. which one?

    This has nothing to do with tin-foil-hat paranoid delusions. The GP may have been referring to Dmitry Sklyarov, which another poster just mentioned to you. That was about Adobe. Adobe did/does have huge flaws in it's software and Mr. Sklyarov came to the U.S to demonstrate that Adobe's representations of security were basically just fluff. He was arrested, and it was a HUGE deal.

    This is not the only instance either. Anytime somebody dares to demonstrate how a security technology may be flawed those affected companies are using the DMCA and the corrupt/broken legisilative/judicial system to quash any dissemination of data that would reveal their products are snake oil.

    Just awhile back there was a posting here on /. where a group of university kids (MIT) were involved in a lawsuit to suppress information they uncovered involving vulnerabilities in another security system.

    There are plenty of examples where security is proven to be worthless and those affected financially have resorted to corrupt influences in the government to suppress the information and punish those involved with arrest.

    These things I have mentioned to you are not delusional. I would suggest you educate yourself with the facts before accusing somebody of just being paranoid. Especially, since the GP was referring to something factual.

     

  17. Re:hacking? Huh? by shawb · · Score: 4, Insightful

    If facial recognition is being offered as a replacement for passwords, then it is being sold as a replacement for security.

    --
    I'll never make that mistake again, reading the experts' opinions. - Feynman
  18. Dead or alive... by jimwormold · · Score: 2, Insightful

    I was under the impression that for any serious application of a biometric (as in "for security reasons"), that the system should check that the subject is alive, to help deter people from chopping off fingers or poking out eyes. eg a fingerprint scanner would check for sub-surface bloodflow.

    The fact that this system is fooled by a static image of the person therefore deems it not fit for purpose IMHO, and this finding should be gratefully received by the manufacturers who can now work on improving the system.

  19. Re:A laser might help by John+Hasler · · Score: 2, Insightful

    > If it can be defeated with a 2D picture, why not up the ante and ensure that the target
    > is 3d by scanning it with a cheap laser?

    Because the whole point was to offer biometric identification without spending any money on hardware. The camera was already there.

    --
    Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
  20. Re:hacking? Huh? by Verteiron · · Score: 4, Informative

    Here's an up-to-date partial list of security researchers who have been threatened with legal action for releasing research on security vulnerabilities:

    http://attrition.org/errata/legal_threats/

    It should give you an idea of why people are concerned.

    --
    End of lesson. You may press the button.
  21. Re:hacking? Huh? by EdIII · · Score: 2, Informative

    Reverse engineering code to demonstrate flaws is one thing. Testing the software in a complete fashion without breaking into the code is quite another. Get YOUR facts straight.

    You want me to get my facts straight? Ummm, OK.

    What situation are you referring to in the first place? I also don't understand the difference between reverse engineering code and demonstrating the function of intact code. Both would seem to me to have the same goal, which is to demonstrate that the intended goal of the software is flawed in some way. Neither should be illegal and cause for arrest. It should not be grounds for a lawsuit either.

    By all means, please be more specific as to the differences. I would like to know just how one of the situations I mentioned should be illegal or actionable. Help me get my facts straight. Provide your arguments why the arrest was correct and explain the actions.