Vulnerabilities / Threats

2/12/2009
01:23 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Researchers Hack Faces In Biometric Facial Authentication Systems

Vietnamese researchers have cracked facial recognition technology in Lenovo, Asus, and Toshiba laptops; demonstration planned for Black Hat DC next week

A Vietnamese researcher will demonstrate at Black Hat DC next week how he and his colleagues were able to easily spoof and bypass biometric systems that authenticate users by scanning their faces.

The researchers cracked the biometric authentication embedded in Lenovo, Asus, and Toshiba laptops by spoofing the biometric systems with everything from a photo of the authorized user to brute-force hacking using fake facial images. They successfully bypassed Lenovo's Veriface III, Asus' SmartLogon V1.0.0005, and Toshiba's Face Recognition 2.0.2.32 -- each set to its highest security level -- demonstrating vulnerabilities in the systems that let an attacker cheat them with phony photos of the legitimate user and gain access to the laptops.

These Windows XP and Vista laptops come with built-in webcams that work with the facial-recognition technology. This form of authentication is considered more convenient than fingerprint scans and more secure than traditional passwords. The software scans the user's face and stores the images and facial characteristics. Then the user can log in by scanning his or her face, which is then matched against the image data.

The researchers were able to bypass the authentication system not only by using a photo of the authorized user, but also by creating multiple phony facial images. "The mechanisms used by those three vendors haven't met the security requirements needed by an authentication system, and they cannot wholly protect their users from being tampered," the researchers wrote in their paper on the hack.

One of the researchers, Nguyen Minh Duc, manager of the application security department at the BKIS (Bach Khoa Internetwork Security Center) at Hanoi University of Technology, will demonstrate the hack at Black Hat, as well as the tool he and his colleagues developed.

"There is no way to fix this vulnerability," Duc says. "Asus, Lenovo, and Toshiba have to remove this function from all the models of their laptops ... [they] must give an advisory to users all over the world: Stop using this [biometric] function."

An attacker can edit and adjust the lighting and angle of a phony photo to ensure the system will accept it, according to the researchers. "Due to the fact that a hacker doesn't know exactly how the face learnt by the system looks like, he has to create a large number of images...let us call this method of attack 'Fake Face Bruteforce.' It is just easy to do that with a wide range of image editing programs at the moment," they wrote in their paper.

"One special point we found out when studying those algorithms is that all of them work with images that have already been digitalized and gone through image processing. Consequently, we think that this is the weakest security spot in face recognition systems, generally, and access control system of the three vendors, particularly."

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
White House Cybersecurity Strategy at a Crossroads
Kelly Jackson Higgins, Executive Editor at Dark Reading,  7/17/2018
The Fundamental Flaw in Security Awareness Programs
Ira Winkler, CISSP, President, Secure Mentem,  7/19/2018
Number of Retailers Impacted by Breaches Doubles
Ericka Chickowski, Contributing Writer, Dark Reading,  7/19/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-19990
PUBLISHED: 2018-07-23
October CMS version prior to build 437 contains a Cross Site Scripting (XSS) vulnerability in the Media module and create folder functionality that can result in an Authenticated user with media module permission creating arbitrary folder name with XSS content. This attack appear to be exploitable v...
CVE-2018-19990
PUBLISHED: 2018-07-23
October CMS version prior to Build 437 contains a Local File Inclusion vulnerability in modules/system/traits/ViewMaker.php#244 (makeFileContents function) that can result in Sensitive information disclosure and remote code execution. This attack appear to be exploitable remotely if the /backend pat...
CVE-2018-19990
PUBLISHED: 2018-07-23
FFmpeg before commit cced03dd667a5df6df8fd40d8de0bff477ee02e8 contains multiple out of array access vulnerabilities in the mms protocol that can result in attackers accessing out of bound data. This attack appear to be exploitable via network connectivity. This vulnerability appears to have been fix...
CVE-2018-19990
PUBLISHED: 2018-07-23
FFmpeg before commit 2b46ebdbff1d8dec7a3d8ea280a612b91a582869 contains a Buffer Overflow vulnerability in asf_o format demuxer that can result in heap-buffer-overflow that may result in remote code execution. This attack appears to be exploitable via specially crafted ASF file that has to be provide...
CVE-2018-19990
PUBLISHED: 2018-07-23
FFmpeg before commit 9807d3976be0e92e4ece3b4b1701be894cd7c2e1 contains a CWE-835: Infinite loop vulnerability in pva format demuxer that can result in a Vulnerability that allows attackers to consume excessive amount of resources like CPU and RAM. This attack appear to be exploitable via specially c...