back to article Laptop facial recognition defeated by Photoshop

White hat security researchers have demoed how to bypass the facial recognition systems on several laptops. The facial recognition software on Lenovo, Asus and Toshiba laptops (known as Veriface III, SmartLogon 1.0.0005 and Face Recognition 2.0.2.32, respectively) was compromised by security researchers including Duc Nguyen, …

COMMENTS

This topic is closed for new posts.
  1. Mr B
    Coat

    Crap software

    relegated to faeces recognition.

    At last a good story to crack some bum jokes.

    But on the up (sorry the bottom) side, this still may prove useful to people that did NOT sit on the copy machine during office party last Christmas.

    Mine's the Andrex padded one.

  2. Anonymous Coward
    Stop

    How many times???

    Passwords, PIN codes, pass phrases, encrypted smart cards... all of these can be CHANGED the minute they're compromised as security tokens.

    Biometrics CAN'T! So which fuckwits keep persisting in offering them as security credentials?!!

  3. Xander

    I'm surprised

    That this is pitched as a security feature. The finger-print readers have always carried the "Rapid Logon" message rather than "Secure" for more or less the same reasons - they've very easy to circumvent.

  4. Anonymous Coward
    Anonymous Coward

    But... but... but...

    Jacqui Smith told me that biometrics were foolproof.

  5. Anonymous Coward
    Anonymous Coward

    New term of the day

    "Brute Face Attack"

  6. Ed Mozley
    Stop

    Feeble implementation of biometrics

    If the laptop is not even bother to check biometrics in 3D then there is little point.

    Also the laptop could change the brightness of the screen from dark to light and the webcam look for the pupil of the eye to react. This would also prevent a 'Demolition Man' style hack involving a fountain pen and eye.

  7. Anonymous Coward
    Paris Hilton

    Less Secure Than Text Passwords?

    So these guys suggest not using facial recognition because it's not entirely secure? I wonder how this facial recognition compares with the "standard" logins like text passwords.

    Paris because everyone recognizes her face.

  8. Anonymous Coward
    Anonymous Coward

    Facial recognition at the border

    As goes the laptop version, so goes the border control version of facial biometrics.

  9. Anonymous Coward
    Linux

    Face recognition wasn't secure anyway.

    Just boot in safe mode or with a Linux live CD and you bypass it.

  10. Anonymous Coward
    Anonymous Coward

    This isn't really news..

    Cheap facial recognition software has been highlighted before as being unable to distinguish between a photograph and the real thing. Don't know where I read it, might have been NPL or CESG papers freely available from their web sites.

    But then any decent security bod would tell you never to rely on biometrics alone.

  11. Tom
    Dead Vulture

    Demolition Man

    The Demolition Man style hack would never work anyway. An eye's retina scan changes as soon as it is detached from a body or even if the body is dead.

  12. Colin Guthrie
    Alert

    Nice for a family but not exactly military grade

    As per the title, this would be pretty nifty for a family to pick the right profile to log in with, but only if they don't really care all that much about privacy

  13. James
    Flame

    Biometrics Conceptually Broken

    Quite apart from the previously pointed out problem of not being able to change biometrics when they're compromised, biometrics are broken as a concept.

    Anyone who works with biological systems know that they constantly change. There is natural change with aging, accidental change with injury or illness, people change weight and shape through exercise and diet (good and bad), even bony structures can be changed with surgery (nose job anyone?). Basing any kind of authentication on such a vastly variable thing as measurements of a biological system is really deeply stupid. Thusly, expect it to come to a government project near you soon. Oh shit, wait...

  14. AJames

    Fingerprints not a good idea either

    I have one of the Asus laptops with facial recognition logon. I gave it a quick try - it's amusing, but obviously easy to fool. My laptop also has a fingerprint reader which can be used to logon. Along with a shiny smooth plastic cover on the top side that always shows a crystal-clear copy of my fingerprints. :-)

  15. Anonymous Coward
    Coat

    Now imagine.....

    ......you are a national police force or transport authority with an uplink to an international database of wanted individuals faces. You deploy facial recognition software and hardware. Suddenly your systems draw a hit.

    He's in Thailand. No wait.... New York. Hang on.... Glasgow.... No No No he's at Heathrow - quick get him. Hang on we shot the wrong bloke.....

    Bugger.

    Mines the one with the V for Vendetta mask.

  16. Steve Renouf
    Pirate

    @Facial recognition at the border

    Yes, but at the border, the security guy can see if someone is holding up a photo in front of their real face...

    What we really need is for everyone to be implanted at birth with a unique identifying device that can't be removed or compromised, which can then be used for all identification purposes!

    ;-¦

  17. Anonymous Coward
    Anonymous Coward

    I'm surprised...

    ... that anyone is surprised by this... how high tech is it really going to be with a fuzzy webcam on a laptop... it's hardly military grade is it.

    I have always wondered where was voice pattern matching in all this, you could press the login button and the computer show you a word, which you then say (this defeats pre recorded statements being played back) and it can check your voice patterns.

    Still I wouldn't want to trust any one of these methods alone, perhaps we should use fingerprint, face, voice together... if people find it SO hard to type out a password then leave that out.. It would be a fair challenge to photograph someone, chop off their thumb, record the correct word in their voice and also torture their password out of them... and hell why not add a smart card in their too (or the future way, a programmable chip in your thumb, read at the same time as the print... perhaps a chip which shuts down if it detects the thumb is dead - i.e. chopped off).

  18. goon

    I've always thought

    That using biometrics as a replacement for a username but still requiring a password or PIN makes more sense, but what do I know - if you ask my Thinkpads finger print scanner, I can't even be sure I'm me.

  19. Steven Knox
    Boffin

    Fixable

    From the description, it appears that they are taking a single image of a 2-dimensional source (webcam) to validate a 3-dimensional object (face). From that it is trivial to conclude that a sufficiently good 2-dimensional copy (printout) of the face would fool the webcam.

    The obvious hardware solution would be to use 2 webcams and produce a 3-dimensional image to compare against. But it should be possible to produce a software solution with a single webcam taking multiple images if the software can vary the exposure and/or focus.

    Neither of these would stand up against a well-crafted bust, however. But then, neither can I...

    AC: "Biometrics CAN'T [be changed]" Ever heard of plastic surgery? Having said that, the difficulty in changing biometrics is exactly what makes them [when well-implemented] ideal for identification systems.But don't get me started on identification vs. authorization. Suffice to say the system should first identify you [biometrics], then ask for authorization [password/PIN].

  20. richard
    Unhappy

    3d

    yep, part of the problem is the webcam only 'sees' in 2d, so you probably could just hold an image to fool it.

  21. Anonymous Coward
    Joke

    What happens if you have...

    ... a face worse than death?

  22. Q Preik
    Thumb Up

    Should stick with those crappy scap type fingerprint readers

    They're so secure I couldn't even get them to recognize my own thumbprint - so NO ONE coudl get in!

  23. A J Stiles
    Unhappy

    Some people never learn

    This is really just another manifestation of Schneier's Law.

    The fact that you are unable to defeat a security system you invented does *not* mean that it is impossible to defeat. It could more probably mean that you are just not smart enough to defeat it, but you don't know that nobody else is.

  24. Moep

    Dumb anyways

    Ive seen so many Acer laptops with faulty webcams, there´s a huge chance noone can break into your computer, but this also means you cant use it either ^^

  25. Simon C
    Paris Hilton

    I truly am amazed

    that prosthetics have not been mentioned.

    surely facial recognition is something that can be easily circumvented by the careful application of facial prosthetics.

    Additionally how many celebrities have lookalikes that make money from the originals fame? Facial features while unique, the general look and shape of your face could be shared with many other people.

    Paris, because she loves the prosthetics.

  26. Walking Turtle
    Linux

    Comparison Shopper asks...

    @ Anonymous Coward Posted Thursday 19th February 2009 14:07 GMT

    > I wonder how this facial recognition compares with the "standard" logins like text passwords.

    Poorly, as pointed up in the article early on. Um, is this your coat?

    Asus dear, I love you honey, but your feet have started to stink. Gimme' me loggin'-in wi' an incomprehensible and non-guessable string o' gib'rish any day and leave the cam-play to the cam-girls, willye' just?

    No such toy in ol' Tux's playroom so far - wouldn't use it if there were. Now, a proper open-source *voiceprint* login module - cor blimey, that'd be an improvement. It were "Speak friend and enter" that baffled ol' Gandalf the Greyhat all day long an' 'arf th' night too, wa'n't it?

    Not that the Orcs Within much cared, as I remember. 'Ad their own not-sodding-authentic (but in is in) NSA-key all registered already, them 'orrid stinking beasts did. ORC: Only Really Crafty... But voice recog surely's more secure than any FR approach if it simply must be tricked-out, I think.

    I also think the Amarok pkg already contains the core of that voice recognition engine. It's earning its minimal keep right now on my KDE desktop (while the Eternal Tibetan Temple Bells and Singing Bowl ensemble ambientizes me entire Secret Main Street Dangerous Research Laboratory) as an eyecandy "analyzer" item known as "Voiceprint" - I've played with its possibilities for years up in the ol' noggin's attic; always meant to break it out for authentication/forensic purposes of my own if ever needs be. (Oval tuit ain't round enuf yet, is all.)

    Penguin mask loose-fitted o'er ol' Roger the Jolly. Arr-r-r.

  27. Chris Savage
    Happy

    Re: Less Secure Than Text Passwords?

    > So these guys suggest not using facial recognition because it's not entirely secure? I wonder how this facial recognition compares with the "standard" logins like text passwords.

    I'd imagine it doesn't compare here in CCTV land, since your not flashing your text password at the government on every street corner.

  28. Cameron Colley

    RE: How many times???

    Exactly. There is a reason that good practice dictates a change of password after a given interval.

    Facial recognition to select the user, on the other hand, might stil be useful -- it would mean logon names would not have to be remembered along with passwords.

  29. John Watts

    @Facial recognition at the border

    You might get noticed holding a sheet of A4 in front of your face ...

    I used it at Stanstead before Christmas. It's pretty cool actually. The paranoid conspiracy theorist in me wondered if they were grabbing a sneaky snapshot of my fingerprints at the same time though. If they were then they just know what my knuckles look like ...

  30. James O'Brien
    Coat

    Umm...heh

    All your face are belong to us?

    /Ok ok im gone

  31. Franklin
    Thumb Down

    The problem with biometrics...

    ....is that biometric systems violate the first, most basic rules of security. You can't change your password, and everyone knows what it is.

  32. faibistes
    Thumb Down

    It's not that bad

    OK, it's not a military grade authentication... but more than enough in a home environment. Also, I'm reading shit about 2d vs. 3d and the such. Guys, you don't know the state of the art of face recognition, as it seems:

    1) Lenovo engineers aren't quite as stupid as you think. Of course, the dumb 'Hey, let's wave a photo in front of the webcam' was tested. It doesn't fool the system. WTF, it was the first thing they tested.

    2) The biometrics authentication systems in commercial laptops are toys. IPhoto (which admittedly, is a toy too) after a dozen of training photos or so, can recognize someone in a timespan of all the person's life. So aging, accidents and all that crap is a moot point.

    3) In fact, recent systems are better at recognizing humans than humans themselves. They can distinguish identical twins better than humans. And, let's face it, *any* id system, in the end, goes down to biometrics: a policeman or government officer certifying, looking at ID's photos, fingerprints... that someone is who he claims.

    As an example, in Spain you can get a government X509 certificate that for all purposes is as valid as a written signature. You go to the police, hand them you ID card, and here you are. But, wait a minute, isn't the police officer looking at your photo to authenticate you? Isn't your office boss lookng at you to assign you a system password? Have I mentioned that the newest systems are better than humans at recognizing humans? If you ask me, I think that this is a very promising field.

    BTW, I don't get what those folks did to cheat the machine. I simply don't believe they bruteforced the webcam waving photos at it. And if they circumvented the wecam... c'mon, the whole thing is more than flawed.

  33. Anonymous Coward
    Stop

    What if ...

    ... you do a Doctor Lecter and wear someone's face? Or have I missed something?

    A 'nam security firm? Says it all.

    Mine's the one with the text passwords on the back of a used envelope in the pocket. Along with the bone scalpel.

  34. Andrew Commons

    No progress then....

    The German magazine c'T demonstrated the same thing in 2002 (an English translation of the report is not hard to find with Google).

  35. John H Woods Silver badge

    @Cameron

    I would dispute that it is good practice to insist on changes of passwords at regular intervals. It causes decreases in password complexity, increased likelihood of passwords being written or stored by users and a huge inconvenience to users.

    It gives technically challenged managers a warm fuzzy feeling that their systems are secure but it makes security worse. You should assume that once a malicious user has access to another users credentials, the first thing they will do is to ensure they no longer need them.

    Password expiry sucks. Biometrics suck. Chip & PIN for the win.

  36. Anonymous Coward
    Thumb Down

    Hardly a shock though is it?

    Secure scans use multiple frames & IR to build 3D models - real kudos and cash prizes in defeating them.

  37. Wokstation

    @"I'm Suprised" AC

    Sure,. have it do voice recognition... then you get a cold, lose your voice... lose your access to your computer and have nothing to do while you sit in bed sipping lemsip.

  38. Kevin McMurtrie Silver badge
    Coat

    Those aren't my eyes

    Restricting authentication to just faces is where the weakness lies.

    Now give me some privacy while I log in.

  39. Anonymous Coward
    Boffin

    Fingerprint scanners....

    ....meant crooks chopped off your hands to access your computer.

    Surely, facial recognition scanners will mean that....

    Boffin, he looks to be headless..

  40. Anonymous Coward
    Anonymous Coward

    @faibistes

    "The researchers claim that the log-in approach can be defeated using nothing more sophisticated than a photograph of a PC's registered user"

    "Nguyen and his team created a large number of images to run what they described a "fake face bruteforce" attack to fool the systems"

    So yes, they were waving photos at the webcams. RTFA

  41. Goat Jam

    @John H Woods

    Aka "The Post It Note" problem

  42. Steven
    Stop

    @... too many to mention

    Proper facial recognition relies on metrics that can't be easily changed, even by surgery. Though if you want to have your eyes sockets moved I can recommend a good sledgehammer.

    Its nonsense to attack biometrics on the basis of some very cheap and shoddy implementations of them. That's not to say that facial recognition is appropriate for use as a single authentication token but then what secure system would only use a single token?

  43. Joe Blogs

    Change password

    With facial recognition, changing "password" is easy (for blokes anyway), just grow a beard!!!

  44. Dr Patrick J R Harkin

    Hmm. What we need is interaction...

    "Please look at the camera."

    "Identity confirmed - you look like my user. By the way, my hard drive lost five bad sectors overnight so that report for the MD you worked on until 4:30am is irretrieveable."

    "You are not crying. You are not really my user. You are a photograph! Hah! One more point to me, fleshy hacker weaklings!"

  45. philbo

    @Tom

    > The Demolition Man style hack would never work anyway. An eye's retina scan

    > changes as soon as it is detached from a body or even if the body is dead.

    An eye's retina is also rather difficult to read with a fountain pen impaling the eyeball...

  46. Anonymous Coward
    Stop

    Umm..

    Ok, so I have all my pr0n stashed on my computer with facial recognition protecting access to it..

    While driving my car, I have a particularly nasty accident and my face gets mangled pretty bad.. so bad, my wife won't want to look at me, so I'll need emergency access to all my smut.. but how do I get in if my face is distorted??

    ... and what if my evil twin steals my laptop??

    It's a shit idea and it'll never work.. but I bet the government have already earmarked my hard earned income tax to fund it's implementation for their next hairbrained scheme.

  47. RW

    Voiceprints

    What happens when your voice changes significantly? -- as it often will if you have a cold. Or, for that matter, surgery of some types

    Mine once dropped at least an octave, from it's usual Highly Butch low voice to a much deeper Gubernator style one. I amused myself by recording a new message on my answering machine that no one could recognize as me.

    And I'm sure we've all had laryngitis that prevented any speech except a high-pitched whisper.

    PS: As for facial recognition, what happens when a woman changes her usual makeup significantly? There are women who use so much mascara and eye shadow that they look like raccoons, but sometimes they wake up to the awfulness of their appearance, and switch to the well-scrubbed look.

  48. Adam Pash
    Happy

    Discovered by me, he only practice

    http://lifehacker.com/software/featured-windows-download/add-face-recognition-login-with-bananascreen-277812.php

  49. Darin Beery

    actually, it CAN be done well

    Are biometrics and facial recognition perfect? Of course not. No security solution is. With enough time and access to your PC, any and all security can be bypassed eventually.

    What bothers me about this article is the implication that facial recognition in general doesn't work. As with all security solutions - or even all software in general - it's not the technology concept itself that counts, but the specific IMPLEMENTATION of that concept that matters. Just because Notepad is a terrible word processor doesn't mean that they all are.

    I've actually worked as a vendor of facial recognition security software for PCs for several years now (Sensible Vision). We've successfully protected PCs in security critical organizations such as hospitals and banks - even a maximum security prison - for years. Our consumer platform on Dell computers (not examined in this study) is both easy to use and has very real security benefits (including automatic locking of the desktop when the user is NOT there....typically a much bigger threat in most environments than a sophisticated, time consuming "replay attack" ).

    Bottom line - despite the implications of the article, by minimizing weaknesses, publicizing those that remain and then providing tools to address them, convenient and secure facial recognition for PCs can actually be done and done well.

This topic is closed for new posts.

Other stories you might like