Black Hat Hacker Hacks Facial Recognition
Every year at this time, the Hacking Convention, aka Black Hat DC (2009) reveals another vulnerability in a security technology, challenging the industry to get better at what they already think is "better."
It is now being reported that a team of Vietnamese researchers have cracked facial recognition technology in Lenovo, Asus, and Toshiba laptops.
The researchers cracked the biometric authentication embedded in Lenovo, Asus, and Toshiba laptops by spoofing the biometric systems with everything from a photo of the authorized user to brute-force hacking using fake facial images.
In a paper to be presented at the Black Hat conference, Nguyen Minh Duc from Hanoi University writes that your face is not your password. He and his asscociates by passed the computer authentication systems using a photo of the real user as well as by creating phony facial prints.
"The mechanisms used by those three vendors haven't met the security requirements needed by an authentication system, and they cannot wholly protect their users from being tampered," the researchers wrote in their paper on the hack.
Whether or not Duc and his associates are right when he says that "There is no way to fix this vulnerability" might be debated. In fact, each time that I write about a vulnerability of one form of security technology or another, someone writes to counter the argument (often by saying, "well, this is being addressed in version 2.0). The fact, however, is that in our increasingly security conscious society, we are depending more and more on technology to protect us. Sometimes (not always), these technologies are not mature and yet are marketed. It is also true to say that the fact that these Vietnamese hackers broke through a facial recognition system on a Windows XP and Vista laptop does not immediately imply that all facial reconition systems can be compromised in the same way.
It might be remembered by ThreatsWatch readers that a few years ago, the MobilPass with an RFID had been spoofed. Later, the RFID in an e-Passport was cloned (at least one reader has assured me that v 2.0 is expected to be better).
There are two comments that I use in my own presentations relating my random pattern, anti-counterfeit technology.
● Where no negative consequence exists or is perceived, consumers are willing to sacrifice some degree of quality for substantial price differences. Dangerous corollary is that most consumers do not have a completely informed view on all of the negative consequences.
● Instead of asking if it is possible to break the code, one should ask whether it is feasible to break it, ask if the code is broken once (the relationship between the random patterns), what value does that offer the counterfeiter for the determining the "nth" pattern?
Hackers and counterfeiters are resilient and resourceful. Most importantly, they have our complacency and sense of well-being on their side to enable them. As the value of something increases, so to does the willingness of the "bad guys" to try to circumvent the technology fences that we build.