Facial Recognition Fails at Black Hat
Expert reveals that biometric security on major vendors' notebooks provides little protection.
They just need to replicate it.
No, the process doesn't involve cloning or harvesting organs. Instead, researcher Duc Nguyen demonstrated in a presentation here at the Black Hat security conference that all it takes is a photo to defeat biometric face-recognition technology found on notebooks from Asus, Lenovo and Toshiba.
But Nguyen's findings could call into question how secure facial recognition technology actually is in its current state.
"All the face recognition techniques on all three laptops can be broken with a photo," Nguyen said during his talk. "I still don't believe it."
Though Asus, Lenovo and Toshiba each have their own unique algorithms, the basic mechanism for creating a legitimate biometric login is the same for all three: A user sits in front of their notebook while its built-in Webcam scans their face to create an image used for future identification.
Despite different names and approaches -- Lenovo's technology is named VeriFace, while Asus calls its solution Smart Logon and Toshiba's simply goes by Face Recognition -- Nguyen claimed that all three technologies had flaws that can enable an attacker to gain access.
He showed off the technique on an Asus laptop, demonstrating that a randomly selected audience member could successfully defeat the machine's security using just a color copy image of the owner's face.
"It means that this laptop is broken," Nguyen said. "We found that the algorithm for face recognition has a weakness, and based on that, a bad guy can create a fake face recognition login."
Nguyen added that while the Asus notebook enables its user to define the level of security for face recognition, he was able to defeat the technology at all security settings.
Bypassing biometric security with ease
Making matters worse is the straightforwardness by which an attacker could gain access to the machines, Nguyen said. He claimed that a hacker could use either a picture of the user or simply rely on a brute-force attack, in which he or she tests different facial elements in a composite image.
But brute force might not even be necessary, considering how simple it is to find a user's picture. Nguyen pointed to sources like Flickr and Facebook, as well as images captured during video chat on services like Skype or MSN, Yahoo and AOL instant messengers.
During his presentation, Nguyen demonstrated how he could produce an image capable of defeating face-recognition technologies by capturing a user's picture from a Skype video chat.
The researcher also successfully demonstrated failures in the notebooks' security using both high- and low-quality images, at various sizes and in both grayscale and full color. With the Lenovo notebook, Nguyen demonstrated that he had to move the photo around in front of the Webcam to mimic a real human's movements. The Toshiba required similar motion, while the Asus laptop did not require any motion.
That's in spite of the fact that at least one of the vendor's approaches to facial recognition is designed to avoid being fooled by images.
"The technology looks for eye movement to distinguish between a still photograph and a real person," Kristy Fair, a spokesperson with Lenovo, told InternetNews.com in an e-mail.
Nguyen also said during his talk that he found that the Lenovo notebook accepted grayscale images while the Asus and Toshiba did not.
"Toshiba is more secure than Lenovo or Asus, but ... we can still break into the system," Nguyen said.
Who's at fault here?
Nguyen claimed that the manufacturers are aware the problems with face recognition technologies. InternetNews.com was unable to independently verify Nguyen's claim about all three vendors' knowledge of the issue. Spokespeople from Asus and Toshiba did not return requests for comment by press time.
But a Lenovo spokesperson said the facial-recognition features found on its IdeaPad laptops and netbooks are meant to make login easier -- not for the utmost in security.
"Facial recognition has been designed to offer users accurate login," Fair said. "There are trade-offs between security and convenience, and users should balance the need for convenient, quick access through facial login with the higher levels of security that are associated with using complex and lengthy password or fingerprint readers."
This article was first published on InternetNews.com.