Slashdot Mirror
Windows 10 Facial Recognition Feature Can Be Bypassed with a Photo (bleepingcomputer.com)
Windows Hello, the face scanning security feature in Windows 10, has been defeated with the use of a printed out picture. From a report: In a report published yesterday, German pen-testing company SySS GmbH says it discovered that Windows Hello is vulnerable to the simplest and most common attack against facial recognition biometrics software -- the doomsday scenario of using a printed photo of the device's owner. Researchers say that by using a laser color printout of a low-resolution (340x340 pixels) photo of the device owner's face, modified to the near IR spectrum, they were able to unlock several Windows devices where Windows Hello had been previously activated. The attack worked even if the "enhanced anti-spoofing" feature had been enabled in the Windows Hello settings panel, albeit for these attacks SySS researchers said they needed a photo of a higher resolution of 480x480 pixels (which in reality is still a low-resolution photo). [...] Microsoft released updates earlier this month to patch the vulnerability.
Color me suprised!
That's not good. That's not good at all.
To start scratching real facial recognition
Sent as ripples into the electromagnetic field. No single photon has been harmed in the process.
Trump collapses at cabinet meeting. Has been placed in a medically induced coma. Expected to survive but be in a vegetative state. Sad.
spit into this tube to log into your computer
you just know someone will try jack off into it
"a printed photo of the device's owner."
Windows 10 is possibly the worst spyware ever made.
Sad news ... Christopher Dale Reimer, dead at 48
I just heard some sad news on talk radio - Everyday reality/Haiku writer Christopher Dale Reimer was found dead in his San Jose apartment this morning. There weren't any more details. I'm sure everyone in the Slashdot community will miss him - even if you didn't enjoy his work, there's no denying his contributions to popular culture. Truly an American icon.
What does "modified to the near infrared spectrum" mean?
My printer can't print "near infrared" or radio waves. It can't even print gamma rays.
Who comes up with such stupid ideas like using the camera and face detection as authentication method?
sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
Okay, it's not the first time simple ways have been found to circumvent so-called "biometrics" especially the poor man's version of these tools. The Windows 10 version is mostly likely a low end version with very limited pixel resolution recognition on the camera (to be compatible with the low end cameras that come in most laptops and cameras), plus an routine to distinguish a live face (with facial movements/ticks as supposed to a 100% static picture) was probably never even considered because it would add to cost and time to development. So when you think about it, it's really a TERRIBLE idea. even with that taken into account, a camera with a high enough resolution to recognize a video would add costs too.
We tried finger print recognition which is also terrible because it is too easy to lift a fingerprint from a victim (or even bypass the finger print scanner in many cases). Anything that is easy to lift/take from the user is inherently insecure: Finger prints (scotch tape/talcum powder will get that from any surface including keyboards and coffee cups), facial recognition (just lift a picture from facebook or any social media site where people often publish high resolution photos, even easier than getting a finger print). Voice print is a LITTLE better but voice patterns have been successfully simulated/recorded from everyday conversation or even YouTube lectures. (techies often love to give these).
There is absolutely NO substitute for a good old fashion typed passwords (even better, in combination with typing sampling for speed/patterns). Even voice passwords are potentially easy to copy with a long or even short range microphone The password is proven most secure because it requires you to look into someone's memory or stand over them and watch them type it, unless of course they use the same password across but that requires more time/research than getting a facial picture or even a fingerprint if you know or work with the victim. Perhaps these could be used IN ADDITION to a password, but should NEVER be a substitute. The key to secure is the remember this old axiom: Security comes at the price of convenience. Without exception. Of course common sense rules like password rotation on a regular basis are essential. It is possible to lift a password I imagine using the amount of body oil on each key or even thermal patterns on a keyboard to lift a password, but look at all the effort/equipment required to do that. It feels like every new biometric security toy is less secure than the last.
"Imagination is more important than knowledge" - Einstein
Not like Microsoft has ever shown any acumen in security matters but this face unlock stuff really needs to die.
Shouldn't a video be able to interpret enough 3d with a little motion?
Live Photo.
Or any other brief video clip of the person can be played back to easily bypass a system that relies on motion in a camera.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
Basically, at this point, it's a giant gimmick.
Chas - The one, the only.
THANK GOD!!!
Comment removed based on user account deletion
but isn't stuff like this just an inherently bad idea? It seems like assigning the task of authentication to the device (instead of the human user) is always going to be flawed. Of course humans are flawed too, but humans have the ability to trick machines, not the other way around.
Don't these idiots do any testing of these "security" measures?
You mean at a multi-billion dollar enterprise like MS, no one thinks to try some pictures to fake the recognition?
Almost makes one think it was intentional.
Before the usual retort of "You know this is Microsoft, right" rolls in, this question does deserve consideration.
Was this not tested against, at all?
Did they not attempt to circumvent this method with a photo? I write code for a living, and something that's continually running through my mind is "how can this fail or break?" I'm certain there are devs at Microsoft who are similarly afflicted.
So I guess the real question is: Was it tested, and everyone just hoped no one in meat-space would also think to try a photo, or was there some pointy-haired manager who decided that enough dev time had been spent, and it was time to turn the profit faucet on?
An internal system operation returned the error "The operation completed successfully.".
MS probably patched the issue by upping the resolution required. That's the super-enhanced security feature.
You probably don't even need a photo - rather just need one that triggers the geometry math. I'll bet a b&w photo with some edges on it would work - if you understood the underlying algorithm. Think of those "masks" (or makeup) intended to hide you from facial recognition in a crowd, it's the anti-geometry.
This has been the fear of bio-metrics. Cut off a hand or pop out an eyeball. 3D printers. But - the hand & eyeball scanners can (now) tell if you're dead, I think by measuring blood flow or lack of something in the iris. Will facial scanning have to go deeper? Seems good enough for security "that might be the person" - but not "that IS the person"
Bwahahahahaha, fucking hillaryious.
I remember the 1989 Game Space Quest III one of the final puzzles before the action sequences for the end game. Was to wonder the cubes of a software company, being a janitor, cleaning the garbage in each cube you walked by. Working your way to the CEO office taking his ID Card, and on the way back going to the photocopier taking his portrait and make a color copy of it. Using his ID Card and the portrait to gain access to the End Game area. As there was a super advance card reader with a face scanner on it.
There were two more puzzle actions, pushing a button to extend a bridge, and using your trash vaporizer to free some software developers from their lime gelatin imprisonment. But those were rather easy.
With this explanation it is easy to tell the game didn't take itself too seriously. And this spoof of a software company was a jab at Microsoft calling it Scumsoft. and the CEO being a kid CEO as Bill gates was considered at the time.
The Face ID Apple has while not perfect seems to have done it better then anyone else. Because they are a hardware company first, they took a hardware approach to the problem, by adding an IR dot projection of your face to aid in matching. Vs. Microsoft and Google who took a software approach using existing hardware try to get a match.
If something is so important that you feel the need to post it on the internet... It probably isn't that important.
Put a piece of scotch tape over the camera lense, so it can constantly detect movement and changes but nothing positive about you.
I can see this progressing to Face Captcha:
-Blink left eye once, blink right eye twice, twich right eyebrow up and left eyebrow down to unlock.
of Bill Gates.
Bypassed with a Potato?
The picture of Microsoft Bob works particularly well.
Since when are all the test / usage cases reviewed. Next they will want us to change our Retina Layout, and Fingerprints every 90 days.
Time for a new Political party in the US (or two!) One is off the rails Other cant pony up a leader.