Researchers Hack Biometric Faces

yahoi sends in news from a week or so back: "Vietnamese researchers have cracked the facial recognition technology used for authentication in Lenovo, Asus, and Toshiba laptops in lieu of the standard logon/password. The researchers were able to easily bypass the biometric authentication system built into the laptops by using photos of an authorized user, as well as by presenting multiple phony facial images in brute-force attacks. One of the researchers will demonstrate the hack at Black Hat DC this week. He says the laptop makers should remove the facial biometrics feature from their products because the vulnerability of this technology can't be fixed."

Ok then...

[going_the_2Rpi_way]

He says the laptop makers should remove the facial biometrics feature from their products because the vulnerability of this technology can't be fixed.

If that's the standard, all security features should be removed. Everything is somewhat vulnerable, and a determined intruder with infinite resource will almost always find a way in. The object is to make this unreasonably hard for most applications.

If you get your laptop lifted at the coffee shop, they better lift your wallet too I guess.

... Wow.

[Valdrax]

The researchers were able to easily bypass the biometric authentication system built into the laptops by using photos of an authorized user [...]

Tragically, sadly obvious. Not even a hack, really.

Last season in Burn Notice

[HomerJ]

Even made a point of saying "facial recognition systems aren't all that secure. They can't tell the difference between a person and a photo of the person". Then he proceeded to break into the room by holding up a picture of someone that had access.

Re:Ok then...

[spleen_blender]

I don't comment that often but does anyone have any idea on the viability of stereoscopic facial recognition? Wouldn't that make a 3d model required to be presented to the input instead just a 2d one? Or two 2d images offset at the right angle for the distance from the cameras?

Re:Ummm...

[xwizbt]

My iPhone locks itself after a minute and demands a four digit passcode.

It's not the perfect solution, I know, but I don't mind tapping a four digit key out on my keypad after a minute's inactivity on my Mac. Maybe 5. Maybe 10.

That's enough - once you've stolen my Mac, you need to be with it every ten minutes... forever.

Re:hacking? Huh?

[davidsyes]

Not for that. But they should be careful because they probably just pissed off a load of laptop and biometrics software manufacturers who will likely lobby for their being arrested if they land in the US, or if they commence their presentation.

Haven't they heard of Russian and other national's programmers being arrested or threatened with arrest if they land here?

But, if they are REALLY good, they've come up with a solution (for however long decent solutions can be expected to last...), and boost Vietnam's programmer prominence. They're doing not too shabby in the shipbuilding industry

Vinashin:

http://www.vinashin.com.vn/english/Capacity.asp [vinashin.com.vn]

Hyundai-Vinashin:

http://www.hyundai-vinashin.com/ [hyundai-vinashin.com]

Maybe they can help out with the US TSA/TWIC/Port Security algorithms?

But, if they get arrested, I don't think Vietnam will take this lightly. The US better go light on this one because if the biometric software touted as good enough for consumers is a fraud, or shoddy at best, then these programmers are nothing less and probably a little bit more than responsible whistleblowers in my book. Why stand by and watch vapor/failure/crapware enter the market if it can be headed off?

Gesture + facial recognition

[Anonymous Coward]

Wonder if, when you 'enrolled' your face in the recognition software, you held your hand(s) up in the image forming a symbol -- peace sign, one finger salute, whatever. Then someone would have to capture your image at the instant you authenticated.

It would be customizeable and and changeable, unlike your face, and hard to duplicate blindly.

You expect us to be surprised?

[thethibs]

Of course they broke it. "Biometric Authentication" is an oxymoron. The correct phrase is "Biometric Identification". A face or a finger are a claim of identity that still needs authentication with some form of secure credential, e.g. a password.

No Id and no authentication is "public". Id but no authentication is "public, but stupid about it".

one small problem

[westlake]

Tragically, sadly obvious. Not even a hack, really.

if it is not an inside job - how does the thief get his photograph of the "authorized user?"

when the sensor is a webcam - why not include motion or depth perception in the authentication process?

if the camera is sensitive to infrared why not confirm that the heat signature of a live body is present as well?

Re:Ok then...

[Traxton1]

Here's a high quality image of your face from your Facebook page. I mean, I'd have to join the Sacramento network, but its pretty easy if I wanted to.

http://profile.ak.facebook.com/v224/628/60/s501905303_4113.jpg [facebook.com]

I imagine macraig.homedns.org and vulcan tourist.info had pics too but you can't seem to keep them up. I like the cartoon image of you that you usually use though.