Multiple OEMs have positioned their face-recognition software packages and supporting laptops as offering a higher level of security than a conventional login/password system. At Black Hat DC this week, however, researchers from Vietnam proved otherwise, demonstrating multiple attack vectors through which the sensors could be breached. Biometric systems have been touted as the next big thing in computer security for the past several years, despite the fact that some of them—fingerprint scanners, for example—have proven to be incredibly easy to bypass, requiring little more, in some cases, than some scotch tape and a bit of patience. Facial-recognition scanners have been a hot commodity on laptops of late, but researchers scheduled to present at the ongoing Black Hat DC conference this week have demonstrated that current implementations have flaws of their own.
The researchers were able to bypass Lenovo's Veriface III, Asus' SmartLogon V1.0.0005, and Toshiba's Face Recognition 2.0.2.32, even with each program set for maximum security. Information on exactly which programs were bypassed by which methods is presumably contained within the team's full documentation, which is not available as of publication time.
According to Dark Reading, a variety of attack vectors ultimately proved successful, including photo substitution (using a photo of the actual owner) as well as brute-force attacks in which multiple images of different people were presented to the scanner. The latter technique apparently requires at least a moderate period of time to execute; the attacker has no way of knowing in advance which photo(s) will prove capable of bypassing the security sensor. Based on their findings, the security team recommends that the applications be overhauled.
One of the team members presenting at Black Hat, Nguyen Minh Duc, had harsher words for the various affected OEMs. "There is no way to fix this vulnerability," Dark Reading reports Duc saying. "Asus, Lenovo, and Toshiba have to remove this function from all the models of their laptops... [they] must give an advisory to users all over the world: stop using this [biometric] function."
Duc's criticism seems unduly alarmist, though the fact that images that have been digitized and printed can be used to fool the sensor is a further weakness in these systems. Biometric scanners in their current form are far from perfect, but then again, most users choose passwords that can be brute-forced within minutes. Just as any given computer user could theoretically choose a 24-digit sequence of randomized characters for a password, a laptop OEM could probably pair an ultra-high resolution camera with an exacting set of guidelines to create a detection system that could pick up on whether or not you had clipped your nose hairs this morning.
The problem with 24-digit completely random character strings as passwords is that they're hard to remember, and the problem with ultra-high resolution scan that's then compared against a pre-saved RAW image is that the camera would be unforgiving and it might take ten minutes to login. In order to make a comparison and login quickly, a scanner must therefore be calibrated to accept a significant degree of "error" when performing an analysis against its baseline image.
As image comparison technology improves and the quality of built-in cameras increases, facial scanners will probably become harder to fool. Alternatively, it may be possible to "train" them to hone in on particular facial features: the shape of a person's smile, the amount of space between their eyes (or the shape of the eyes themselves), and any other distinctive/striking mark or shape might be integrated into a computer's identification protocol when determining if you are really you. Even in these cases, however, it would still be theoretically possible to fool the scanner.
It may be true that biometric scanners are being mismarketed, but the relevant standard should be whether these newfangled options provide a level of protection that's at least as good as a standard login/password. If we're honest with ourselves and admit that normal computer users pick passwords that provide them with a level of security equivalent to that which the Maginot Line provided France, it's clear that the bar is one notch above sitting on the floor.
Biometric sensors need to be improved and they probably need to be combined with other methods of authentication (biometric or otherwise) in order to be completely effective, but I'm not convinced Asus, Lenovo, and Toshiba should all collectively dump their services. Kudos to Asus, by the way, for providing far more information on its SmartLogon service than I was able to quickly locate at Lenovo or Toshiba's sites, but the company hears a knock for claiming: "In case you are wondering, ASUS notebooks with ASUS SmartLogon with face recognition technology can distinguish people from pictures." Of the three, only Lenovo's copy implies that users may still want to use other secure verification methods; VeriFace "lets you use the unique features of your face to add a new level of security to your system." Asus and Toshiba both explicitly position their biometric authentication systems as a replacement for other security options.
Alternatively, we could ditch all this amateur stuff and go straight for retina scans and blood samples. At least if we went this route we'd quickly identify any Changelings or broken ladders in our midst.
(Condé Nast Digital)