Top new - Bkav Corporation

Do your best, the rest will come !

Laptop face-recognition tech easy to hack, warns Black Hat researcher

02:37:00 | 12-04-2012

Computerworld - Digital pictures can fool the built-in systems, Vietnamese researcher claims

WASHINGTON — The face-recognition technologies offered by some laptop vendors as a way for users to securely log onto their systems are deeply flawed and can be relatively easily bypassed, a security researcher warned today at the Black Hat security conference here.

Nguyen Minh Duc, a researcher at Bach Khoa Internetwork Security Centre, a Hanoi-based security firm that is commonly known as Bkis, showed how attackers could break into laptops from Lenovo, Toshiba and Asus featuring face-recognition technologies, simply by using digitized images of the actual user of the systems in each case. The attacks were conducted on a Lenovo system with its Veriface III technology, an Asus system featuring its Smart Logon software and a laptop using Toshiba's Face Recognition technology.

The attacks are possible because the underlying technology used by the vendors for face authentication can be easily fooled — meaning it cannot be trusted for secure log-on purposes, Minh Duc said. He claimed that each of the vendors has been notified of the issue and urged them to reconsider the use of face recognition as a secure log-in option until the problem has been fixed.

Toshiba, Lenovo and Asus are among a handful of vendors currently supporting face authentication as a secure log-in option. The idea is to let a user's face serve as a password for gaining access to a system. Instead of logging in with a username and password, users simply sit in front of a built-in camera on the system that captures an image of their face and compares selected features from the image with those previously registered by the user. Users are granted access only if the images match.

Laptop vendors have touted the technology as safer and easier than relying on usernames and passwords.

The problem, according to Minh Duc, is that face-recognition algorithms cannot tell the difference between a digitized image and a real face. Because the algorithms, in effect, process digital information sent via the camera, it is possible to trick the software with an image of a registered user of a system, he said.

An attacker could obtain a photo of the user and tweak the lighting and viewpoint with commonly available image-editing tools, he said. Because a hacker is unlikely to know what the face stored in the system looks like, he might have to create a large number of digital facial images — each with different lighting and viewpoints — to fool the face-recognition technology. An attacker would need to have a reasonable amount of experience with image editing and regeneration to successfully carry out such attacks, Minh Duc added.

At Black Hat, Minh Duc showed how to access laptops from each of the three vendors simply by placing digitized images of actual users in front of the built-in laptop cameras. The approach worked even when the face-recognition software was set to its highest security setting. With the Toshiba face-recognition technology, Minh Duc had to move the images a bit to fool the technology because it looks for facial movement. It is also possible to use black-and-white images to fool one of the systems, he added.

What makes the vulnerability in laptop face-recognition technology particularly dangerous is that compromises are harder to spot, Minh Duc said. An attacker could gain access to a system without the real user ever knowing about it, he claimed.

In comments sent via e-mail, a Lenovo spokeswoman didn't directly dispute any of the claims made by the security researcher. But she said that the company's VeriFace face-recognition technology offers a "convenient" and "accurate" log-in option for users.

"There are trade-offs between security and convenience, and users should balance the need for convenient, quick access through facial log-in with the higher levels of security that are associated with using complex and lengthy passwords or fingerprint readers," the Lenovo spokeswoman wrote.

She added that VeriFace looks for eye movement to distinguish between a still photograph and a real person. And she said that the face-recognition technology, which is offered only in the vendor's consumer laptops, "continues to be upgraded."

By Jaikumar Vijayan - Computerworld

Related articles:

CNET: Vietnamese security firm: Your face is easy to fake

The Register: Laptop facial recognition defeated by Photoshop

Dark Reading: Researchers Hack Faces In Biometric Facial Authentication Systems

*Note: Bkis is the former trademark of Bkav. Since January 1^st, 2010, Bkav has been consistently used as the official trademark globally.

Others

The DEEP#GOSU virus campaign takes advantage of Google Docs and Dropbox to attack Windows users

LockBit ransomware virus attacks Windows Domain servers in Vietnam

5 million websites are at risk because of vulnerabilities in WordPress' LiteSpeed

Warning: using AI to create fake images and voices to scam money

Bug in Microsoft Outlook allows hackers to steal information and take control of devices

OPSWAT and Bkav signed a strategic partnership

Summary of cybersecurity in 2023 and forecast for 2024

Warning: Many Elknot virus variants appear targeting Vietnamese Linux servers

Bkav launches Bkav Pro 2024 with the orientation of expanding the global market

Applications impersonating government agencies to spread viruses on Android are highly active in Vietnam