Vulnerabilities / Threats

2/12/2009
01:23 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Researchers Hack Faces In Biometric Facial Authentication Systems

Vietnamese researchers have cracked facial recognition technology in Lenovo, Asus, and Toshiba laptops; demonstration planned for Black Hat DC next week

A Vietnamese researcher will demonstrate at Black Hat DC next week how he and his colleagues were able to easily spoof and bypass biometric systems that authenticate users by scanning their faces.

The researchers cracked the biometric authentication embedded in Lenovo, Asus, and Toshiba laptops by spoofing the biometric systems with everything from a photo of the authorized user to brute-force hacking using fake facial images. They successfully bypassed Lenovo's Veriface III, Asus' SmartLogon V1.0.0005, and Toshiba's Face Recognition 2.0.2.32 -- each set to its highest security level -- demonstrating vulnerabilities in the systems that let an attacker cheat them with phony photos of the legitimate user and gain access to the laptops.

These Windows XP and Vista laptops come with built-in webcams that work with the facial-recognition technology. This form of authentication is considered more convenient than fingerprint scans and more secure than traditional passwords. The software scans the user's face and stores the images and facial characteristics. Then the user can log in by scanning his or her face, which is then matched against the image data.

The researchers were able to bypass the authentication system not only by using a photo of the authorized user, but also by creating multiple phony facial images. "The mechanisms used by those three vendors haven't met the security requirements needed by an authentication system, and they cannot wholly protect their users from being tampered," the researchers wrote in their paper on the hack.

One of the researchers, Nguyen Minh Duc, manager of the application security department at the BKIS (Bach Khoa Internetwork Security Center) at Hanoi University of Technology, will demonstrate the hack at Black Hat, as well as the tool he and his colleagues developed.

"There is no way to fix this vulnerability," Duc says. "Asus, Lenovo, and Toshiba have to remove this function from all the models of their laptops ... [they] must give an advisory to users all over the world: Stop using this [biometric] function."

An attacker can edit and adjust the lighting and angle of a phony photo to ensure the system will accept it, according to the researchers. "Due to the fact that a hacker doesn't know exactly how the face learnt by the system looks like, he has to create a large number of images...let us call this method of attack 'Fake Face Bruteforce.' It is just easy to do that with a wide range of image editing programs at the moment," they wrote in their paper.

"One special point we found out when studying those algorithms is that all of them work with images that have already been digitalized and gone through image processing. Consequently, we think that this is the weakest security spot in face recognition systems, generally, and access control system of the three vendors, particularly."

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
AmmyW402
50%
50%
AmmyW402,
User Rank: Apprentice
9/7/2018 | 7:03:59 AM
asus pc link driver error 0x111
Hey! I am a new blog reader, I have no idea about the post. I read completely your post, I bookmarked your website URL for the latest post. I have interested in your post, it's very helpful for me. I have an error with Asus pc link driver error 0x111 just I want to know that how to handle this error.
Government Shutdown Brings Certificate Lapse Woes
Curtis Franklin Jr., Senior Editor at Dark Reading,  1/11/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
The Year in Security 2018
This Dark Reading Tech Digest explores the biggest news stories of 2018 that shaped the cybersecurity landscape.
Flash Poll
How Enterprises Are Attacking the Cybersecurity Problem
How Enterprises Are Attacking the Cybersecurity Problem
Data breach fears and the need to comply with regulations such as GDPR are two major drivers increased spending on security products and technologies. But other factors are contributing to the trend as well. Find out more about how enterprises are attacking the cybersecurity problem by reading our report today.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-6487
PUBLISHED: 2019-01-18
TP-Link WDR Series devices through firmware v3 (such as TL-WDR5620 V3.0) are affected by command injection (after login) leading to remote code execution, because shell metacharacters can be included in the weather get_weather_observe citycode field.
CVE-2018-20735
PUBLISHED: 2019-01-17
** DISPUTED ** An issue was discovered in BMC PATROL Agent through 11.3.01. It was found that the PatrolCli application can allow for lateral movement and escalation of privilege inside a Windows Active Directory environment. It was found that by default the PatrolCli / PATROL Agent application only...
CVE-2019-0624
PUBLISHED: 2019-01-17
A spoofing vulnerability exists when a Skype for Business 2015 server does not properly sanitize a specially crafted request, aka "Skype for Business 2015 Spoofing Vulnerability." This affects Skype.
CVE-2019-0646
PUBLISHED: 2019-01-17
A Cross-site Scripting (XSS) vulnerability exists when Team Foundation Server does not properly sanitize user provided input, aka "Team Foundation Server Cross-site Scripting Vulnerability." This affects Team.
CVE-2019-0647
PUBLISHED: 2019-01-17
An information disclosure vulnerability exists when Team Foundation Server does not properly handle variables marked as secret, aka "Team Foundation Server Information Disclosure Vulnerability." This affects Team.