Slashdot Mirror

← Back to Stories (view on slashdot.org)

Researchers Hack Biometric Faces

Posted by kdawson on from the face-off dept.

yahoi sends in news from a week or so back: "Vietnamese researchers have cracked the facial recognition technology used for authentication in Lenovo, Asus, and Toshiba laptops in lieu of the standard logon/password. The researchers were able to easily bypass the biometric authentication system built into the laptops by using photos of an authorized user, as well as by presenting multiple phony facial images in brute-force attacks. One of the researchers will demonstrate the hack at Black Hat DC this week. He says the laptop makers should remove the facial biometrics feature from their products because the vulnerability of this technology can't be fixed."

18 of 244 comments (clear)

  1. hacking? by Anonymous Coward · · Score: 5, Funny

    Shouldn't they get charged with hacking the researchers faces off? That is kind of brutal no?

    1. Re:hacking? by Anonymous Coward · · Score: 5, Funny

      Being an average, white American, I reckon an Asian having a biometric face-secure laptop is just plain stupid. 9 billion Chinese probably all can get into each other's raptops, no shit, G.I. They all sure do look alike, don't they? My Pa sure thinks so. So does his wife, my sister. Man, she's hot.

  2. Ok then... by going_the_2Rpi_way · · Score: 4, Interesting

    He says the laptop makers should remove the facial biometrics feature from their products because the vulnerability of this technology can't be fixed.

    If that's the standard, all security features should be removed. Everything is somewhat vulnerable, and a determined intruder with infinite resource will almost always find a way in. The object is to make this unreasonably hard for most applications.

    If you get your laptop lifted at the coffee shop, they better lift your wallet too I guess.

    --
    =======
    Science -- Sealed, Delivered.
    1. Re:Ok then... by Sir+Groane · · Score: 5, Funny

      Everything is somewhat vulnerable, and a determined intruder with infinite resource will almost always find a way in.

      The point is facial recognition alone is so vulnerable! All you need is a cameraphone and a photo printer - and you can't revoke your face as your password either. At least with fingerprints you can get hacked nearly 10 times (on average) before it becomes a problem.

    2. Re:Ok then... by GrenDel+Fuego · · Score: 5, Insightful

      I definitely disagree here. While passwords can be brute forced given enough time, your face is almost certainly available to someone who has access to get at your computer.

      There is a difference between identification and authentication (your claim of who you are, and your proof of that claim). What you look like is identification.

    3. Re:Ok then... by Jurily · · Score: 4, Insightful

      If that's the standard, all security features should be removed. Everything is somewhat vulnerable, and a determined intruder with infinite resource will almost always find a way in. The object is to make this unreasonably hard for most applications.

      Not quite. Biometrics are horrible for security, because 1. they're not secret, 2. they're not easily replaceable. Once they have a picture of you, facial recognition is broken. Once they have your fingerprint, that's broken as well.

      Once they have your password, you choose another one and that's it. I'd like to see you do that with your face.

    4. Re:Ok then... by spleen_blender · · Score: 5, Interesting

      I don't comment that often but does anyone have any idea on the viability of stereoscopic facial recognition? Wouldn't that make a 3d model required to be presented to the input instead just a 2d one? Or two 2d images offset at the right angle for the distance from the cameras?

    5. Re:Ok then... by Jurily · · Score: 4, Insightful

      Iris and fingerprint recognition are mature technologies; they can deliver low false negatives with virtually no false positives.

      Passwords deliver 0% false negatives and 0% false positives. If it rejects you, just type it again.

      There are well-defined and effective ways of preventing spoofing.

      Like what? A hash of my whole eyeball?

      Anyway, nice job twisting my point. Let me repeat:
      1. Not secret. Unique, but not secret. Which means, if someone gets the technology to spoof one, they can spoof all. What, fingerprints? They use them to catch criminals because we leave them all over the place.
      2. Not replaceable. If you find out someone can spoof your iris, what do you do? Grow new ones?

      Just because the technology isn't available yet, don't assume it never will be.

      There is only one thing that biometrics add to security: noone has to tell the Big Boss he can't juse his initials as password anymore. Apparently it's worth it.

    6. Re:Ok then... by fuzzyfuzzyfungus · · Score: 4, Insightful

      In single-system scenarios, you are correct. Once the password or biometric ID is cracked, the system is cracked, game over, etc. In that sense, they are equivalent. The problem is that your life, which is ultimately the use case you care about, isn't a single-system scenario, it is a long series of systems and accounts and whatnot over your entire life. If a password is broken, and your email account or whatever is compromised, that sucks; but you can generate a new one for future rounds. If a biometric ID is cracked, you can't generate a new one, so any and all systems, for the rest of your life, that are "secured" by biometrics aren't secure. That is where biometrics really falls flat.

    7. Re:Ok then... by Panzor · · Score: 4, Insightful

      While passwords can be brute forced given enough time, your face is almost certainly available to someone who has access to get at your computer.

      Also, you could say that face recognition is just as secure as writing a reasonably long password on your forehead. Someone takes a picture and boom. Access.

      Personally, I refrain from writing my passwords on my forehead - regardless if I can see a suspicious-looking character taking a picture of me square-enough in the face to capture all the digits. And, I also refrain of using or buying face recognition devices...

    8. Re:Ok then... by Herby+Sagues · · Score: 4, Insightful

      What puzzles me is the comment in the article: > This form of authentication is considered more convenient than fingerprint scans and more secure than traditional passwords Considered by whom? Their dog? No one that has three working neurons can think that how your face looks is a stronger secret than some word you have in your mind. When they announced this "security mechanism" every security specialist I know said it was worse than nothing, it didn't even qualify as weak security, and it would be abandoned within months. It is sad when security features of computers are designed in the marketing department.

  3. Gesture + facial recognition by Anonymous Coward · · Score: 4, Interesting

    Wonder if, when you 'enrolled' your face in the recognition software, you held your hand(s) up in the image forming a symbol -- peace sign, one finger salute, whatever. Then someone would have to capture your image at the instant you authenticated.

    It would be customizeable and and changeable, unlike your face, and hard to duplicate blindly.

    1. Re:Gesture + facial recognition by Burning1 · · Score: 4, Insightful

      ...and carries the same level of security as speaking your password every time you type it.

      Seriously, biometrics are a bad idea, unless also combined with other methods of authentication.

  4. Re:Terrible News! Please read! by Anonymous Coward · · Score: 4, Insightful

    I can't understand the mindset that people must have to actually post trollish crap like this under their username.

    It boggles the mind that we as a society are producing a generation of kids that actually takes pride in being anti-social and disruptive. Yet we have the arrogance to wage wars in an effort to make other nations emulate our social paradigm.

    Perhaps it's not them that needs liberating from dictatorial governments, it's us that needs liberating from a downward spiral into social implosion.

    Yes, yes I'm ready for the off topic mods now.

  5. The Internet? by Jon.Laslow · · Score: 5, Insightful

    If you've ever posted a photo of yourself on Twitter, Facebook, Myspace, a blog, or your website, people can easily get a high-quality photo of you without you knowing it.

    Just sayin'.

  6. Re:hacking? Huh? by EdIII · · Score: 5, Insightful

    Don't tell me companies have made it illegal to notice the huge flaws in their products. I'm cynical, but not paranoid-delusional.

    What planet have you been on for the last couple of years? Seriously.. which one?

    This has nothing to do with tin-foil-hat paranoid delusions. The GP may have been referring to Dmitry Sklyarov, which another poster just mentioned to you. That was about Adobe. Adobe did/does have huge flaws in it's software and Mr. Sklyarov came to the U.S to demonstrate that Adobe's representations of security were basically just fluff. He was arrested, and it was a HUGE deal.

    This is not the only instance either. Anytime somebody dares to demonstrate how a security technology may be flawed those affected companies are using the DMCA and the corrupt/broken legisilative/judicial system to quash any dissemination of data that would reveal their products are snake oil.

    Just awhile back there was a posting here on /. where a group of university kids (MIT) were involved in a lawsuit to suppress information they uncovered involving vulnerabilities in another security system.

    There are plenty of examples where security is proven to be worthless and those affected financially have resorted to corrupt influences in the government to suppress the information and punish those involved with arrest.

    These things I have mentioned to you are not delusional. I would suggest you educate yourself with the facts before accusing somebody of just being paranoid. Especially, since the GP was referring to something factual.

     

  7. Re:hacking? Huh? by shawb · · Score: 4, Insightful

    If facial recognition is being offered as a replacement for passwords, then it is being sold as a replacement for security.

    --
    I'll never make that mistake again, reading the experts' opinions. - Feynman
  8. Re:hacking? Huh? by Verteiron · · Score: 4, Informative

    Here's an up-to-date partial list of security researchers who have been threatened with legal action for releasing research on security vulnerabilities:

    http://attrition.org/errata/legal_threats/

    It should give you an idea of why people are concerned.

    --
    End of lesson. You may press the button.