Print
So you thought the facial recognition technology built into your laptop would keep your business and personal information safe? Bwa-ha-ha! Today, the Black Hat DC 2009 security conference found out that, as Vietnam-based security researcher Nguyen Minh Duc puts it, Your Face is NOT Your Password.
Nguyen's paper reveals (PDF link) that it's relatively simple to hack facial recognition systems included in webcam-equipped laptops from Lenovo (Veriface III), ASUS (SmartLogon v1.0.0.0005), and Toshiba (Face Recognition 2.0.2.32). Methods used included using photographs in place of live faces (Facebook, anyone?) and performing brute-force attacks by changing lighting and photo angles in a digitized face until the system permits access.
Are you counting on facial-recogntion technology to keep your stuff safe? Is your company? Hit Comment and sound off on this latest "unbreakable," but now broken, access-control technology.
Comments are closed on this article
aman
November 19, 2010 at 4:06am
We are living in the age of internet. But the online processes are not safe enough and so that every year new and advance security systems are introduced. But all those efforts went in vain when it is found that advance security systems were breached. Virtualization Security
yhn
December 18, 2009 at 6:08am
Please give more details regarding the topic facial cream.
hairdressing sydney
http://www.carmenshairdesign.com.au
svrep
February 25, 2009 at 4:56pm
Just like all security solutions - or even all software packages - it's not the technology concept itself that counts (as the Black Hat research would seem to imply), but the specific implementation of that technology that really matters. While no security solution is or ever will be perfect, it's also true that not all packages have the same weaknesses.
I say this from experience. I've actually worked at a facial recognition firm (Sensible Vision) for several years. We've successfully protected PCs in security critical organizations such as hospitals and banks - even a maximum security prison - for years now. Our consumer platform on Dell systems (not examined in this study - interesting, yes?) is highly photo resistant, provides other security benefits such as locking the desktop when the user is NOT there, and - critically - has a very easy straight forward second factor feature that all but resolves the photo issue entirely.
Instead of denying that any vulnerabilities exist, the way to a secure system is to minimize weaknesses as much as possible, publicize those that remain and then to provide tools to address them.
savage4naves
February 20, 2009 at 7:40am
I wonder if this problem plagues the Dell Studio XPS 16....
svrep
February 25, 2009 at 5:05pm
Although I will admit to my bias as working for the manufacturer of the Dell FastAccess sytem (Sensible Vision), I can say with confidence that it does not. There's a reason that it wasn't included as part of the "research" article! The Dell version is based on enterprise level software that's been used for years in high security environments.
Is a photo attack impossible? Of course not. It is in this case, however, it's both very difficult and very manageable with the optional "Face + Password" feature. This feature prompts the user for just a few characters of their password if they've been away from the system for longer than a specified period of time. This effecitvely addresses photo ("replay") attacks at the same time it does a good job of maintaining the overall convenience of facial recognition (convenience BEING ITSELF a security factor on consumer systems. If it's not easy to use it gets shut off quickly...negating any security benefits altogether!)
Furii
February 20, 2009 at 6:04am
I'm an electronics security technician for the government and I can tell you the government funded facial recognition systems do NOT have these flaws. However no security system is impervious which is why layered security systems are used in important areas, e.g. Facial Scanner paired with a proximity card reader or smart chip reader, or in some cases a 6-8 digit pin as well.
Key thing here is never to use a single new means of access control by itself. You want a new laptop with facial recognition? Pair it with a strong password and you'll have no problems.
AndyYankee17
February 19, 2009 at 9:24pm
well if you want real security (like DoD security) you could always make laptops with 2 cameras one on each side that it can make a somewhat 3d photgraph which would be virtually impossible to crack
rayatwork05
February 20, 2009 at 12:34pm
you could still use 2 pics or brute force that method just as easily.
I Jedi
February 19, 2009 at 10:42pm
How so? I mean, I'm not disagreeing with you on the subject or nothing, but I'm interested to know how and why?
AndyYankee17
February 22, 2009 at 1:18pm
added depthperception, like using 2 eyes?
or they could always use an infrared camera
