Security News Face Authentication Systems Can Be Bypassed Using a VR Headset & Facebook Photos

Exterminator

Community Manager
Thread author
Verified
Staff Member
Well-known
Oct 23, 2012
12,527
Computer scientists from the University of North Carolina at Chapel Hil have devised a method of bypassing face authentication systems using photos, 3D modeling software, and a VR (Virtual Reality) device.

One of the many new biometrics-based methods of authentication users is facial recognition, which uses data about a person's distinct face shape and its characteristics, like eyes, nose, mouth, and the depth and distances between them.

Facial authentication systems appeared in the 90s, but became more popular in the 2000s, as hardware and software became more powerful.

For earlier versions of face recognition systems, scientists proved that by putting a photo in front of the system's camera or video input, they could trigger the system in authenticating an attacker.

Modern facial recognition systems can't be tricked with photos anymore
But times have changed. Since then, to mitigate this attack vector many companies providing facial recognition software started taking into account various secondary interactions such as the presence of different textures on the user's skin, asking the user to blink or perform other actions, or detecting small head movements as the user breathes.
As such, modern day facial recognition software is much stronger, and can't be fooled with a photo of the original user.

It's these defenses that Yi Xu et al. set out to bypass. Their research, presented two weeks ago at the Usenix Security Symposium in the US, details a brand new methodology for breaking modern face authentication systems.

VR headsets abused to bypass facial recognition systems
Researchers carried out a set of experiments using volunteers and five applications that provide facial authentication for mobiles and laptops.

Researchers had the volunteers create accounts with these five apps, took their picture using a camera, and a photo from their social media accounts.

They passed the photo through a 3D modeling software, which used special functions to create a very accurate 3D model of the volunteer's head.

They then transferred this 3D head to a VR device, which the researchers placed with its screen in front of the device running the facial recognition software.

100% accuracy rate for hi-res photos
The five tested apps were 1U App, BioID, KeyLemon, Mobius, and True Key. Researchers said that when they used photos of the volunteers they took themselves, they managed to authenticate on all apps for all volunteers.

When they used social media photos, the photo quality was lower, and they had a smaller authentication rate.

"In our opinion, it is highly unlikely that robust facial authentication systems will be able to operate using solely web/mobile camera input," the researchers write. "Given the widespread nature of high-resolution personal online photos, today’s adversaries have a goldmine of information at their disposal for synthetically creating fake face data."

"The strongest facial authentication systems will need to incorporate non-public imagery of the user that cannot be easily printed or reconstructed (e.g., a skin heat map from special IR sensors)," the team also added.
 
H

hjlbx

No surprise here. The trend for many years has been to post photos and reveal personal details all over the net - most notably on Facebook and other social media sites. Users have just screw themselves by greatly impacting their data security through all their careless and reckless online activities.

If you put personal data out there - even an image - no matter how seemingly careful or protected you think that you are - I can find a way to use it maliciously...

At the same time it is a complete joke that some companies will not interview\hire job applicants that have no "online presence."

There is little protection to be had in IT nowadays - and the best strategy is share as little personal data as is practicable. Put your "stuff" out there, and well... all bets are off.
 
Last edited by a moderator:
  • Like
Reactions: Logethica

davidp

Level 1
Verified
Aug 16, 2016
26
Also not surprised. I look at defense systems as a contract between a user and society. Don't want somebody in your house? Add a lock. Some subset of people will still be able to break in, because they have discovered ways to defeat the mechanism. But you hope that you aren't important enough or randomly targeted, and you move on with life. Systems are breakable when smart and clever minds set out to find flaws.
 
  • Like
Reactions: Logethica

JHomes

Level 7
Verified
Well-known
Jul 7, 2016
339
Good luck hackers. What you don't know is that I can change my appearance Mission Impossible style.
 
  • Like
Reactions: Logethica

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top