Researchers Hack Biometric Faces

yahoi sends in news from a week or so back: "Vietnamese researchers have cracked the facial recognition technology used for authentication in Lenovo, Asus, and Toshiba laptops in lieu of the standard logon/password. The researchers were able to easily bypass the biometric authentication system built into the laptops by using photos of an authorized user, as well as by presenting multiple phony facial images in brute-force attacks. One of the researchers will demonstrate the hack at Black Hat DC this week. He says the laptop makers should remove the facial biometrics feature from their products because the vulnerability of this technology can't be fixed."

Re:hacking? Huh?

[fuzzyfuzzyfungus]

I assume that grandparent is alluding to the Dmitry Sklyarov case. Some years back; but fairly big news, in geek circles, at the time.

Re:Mythbusters & fingerprint recognition

[Cobra Spaz]

Fingerprint readers are very easy to crack if you have someones finger print. The last company I worked for they had to types of fingerprint readers. You could crack them both by placing a scanned image of the fingerprint on the reader. The only difference between the two was that one of them only scanned if it sensed enough heat and the of scan plate was grounded by being touched. So it was slightly more difficult to crack. It took awhile to find the right paper that allowed enough heat to come through and then we pass the grounding check by barely touching the edge of the scanner with one of our fingers. Biometric protection is great when it is part of a multi-layered scheme however by itself it is too easy to bypass. I still think that facial recognition and/or a fingerprint scanner is a great addition to a strong password, but it should never be used by itself to begin with.

Re:Ok then...

[Rog-Mahal]

"One special point we found out when studying those algorithms is that all of them work with images that have already been digitalized and gone through image processing. Consequently, we think that this is the weakest security spot in face recognition systems, generally, and access control system of the three vendors, particularly." (From the article) Doesn't sound like you need an amazing quality photo.

Re:Last season in Burn Notice

[citizenr]

yes, and in last episode they showed how you can defeat cellphone jammer using Ethernet patchcord connected into mainframe as an antena .. this show is full of GARBAGE Science

Re:hacking? Huh?

[Verteiron]

Here's an up-to-date partial list of security researchers who have been threatened with legal action for releasing research on security vulnerabilities:

http://attrition.org/errata/legal_threats/ [attrition.org]

It should give you an idea of why people are concerned.

Re:hacking? Huh?

[EdIII]

Reverse engineering code to demonstrate flaws is one thing. Testing the software in a complete fashion without breaking into the code is quite another. Get YOUR facts straight.

You want me to get my facts straight? Ummm, OK.

What situation are you referring to in the first place? I also don't understand the difference between reverse engineering code and demonstrating the function of intact code. Both would seem to me to have the same goal, which is to demonstrate that the intended goal of the software is flawed in some way. Neither should be illegal and cause for arrest. It should not be grounds for a lawsuit either.

By all means, please be more specific as to the differences. I would like to know just how one of the situations I mentioned should be illegal or actionable. Help me get my facts straight. Provide your arguments why the arrest was correct and explain the actions.