The facial recognition technologies offered on some laptops are deeply flawed and can be relatively easily bypassed, a security researcher has warned.
Nguyen Minh Duc, a researcher at Bach Khoa Internetwork Security Centre, a Hanoi-based security organisation, showed how attackers could break into laptops from Lenovo, Toshiba and Asus featuring facial recognition technologies, simply by using digitised images of the actual user of the systems in each case.
The attacks were conducted on a Lenovo system with its Veriface III technology, an Asus system featuring its Smart Logon software and a laptop using Toshiba's Face Recognition technology.
The attacks are possible because the underlying technology used by the vendors for face authentication can be easily fooled - meaning it cannot be trusted for secure log-on purposes, Minh Duc said.
He claimed that each of the vendors has been notified of the issue and urged them to reconsider the use of face recognition as a secure log-in option until the problem has been fixed.
Toshiba, Lenovo and Asus are among a handful of vendors currently supporting face authentication as a secure log-in option. The idea is to let a user's face serve as a password for gaining access to a system.
Instead of logging in with a username and password, users simply sit in front of a built-in camera on the system that captures an image of their face and compares selected features from the image with those previously registered by the user. Users are granted access only if the images match.
Laptop vendors have touted the technology as safer and easier than relying on usernames and passwords.
The problem, according to Minh Duc, is that facial recognition algorithms cannot tell the difference between a digitised image and a real face. Because the algorithms, in effect, process digital information sent via the camera, it is possible to trick the software with an image of a registered user of a system, he said.
An attacker could obtain a photo of the user and tweak the lighting and viewpoint with commonly available image-editing tools, he said.
Because a hacker is unlikely to know what the face stored in the system looks like, he might have to create a large number of digital facial images - each with different lighting and viewpoints - to fool the facial recognition technology. An attacker would need to have a reasonable amount of experience with image editing and regeneration to successfully carry out such attacks, Minh Duc added.
At Black Hat, Minh Duc showed how to access laptops from each of the three vendors simply by placing digitized images of actual users in front of the built-in laptop cameras.
The approach worked even when the facial recognition software was set to its highest security setting. With the Toshiba facial recognition technology, Minh Duc had to move the images a bit to fool the technology because it looks for facial movement. It is also possible to use black-and-white images to fool one of the systems, he added.
What makes the vulnerability in laptop facial recognition technology particularly dangerous is that compromises are harder to spot, Minh Duc said. An attacker could gain access to a system without the real user ever knowing about it, he claimed.