Thursday, February 19, 2009

Hackers Make Short Work of "Super-Secure" Facial Biometrics

I hate to say "I told you so", but in light of the past two week battle we privacy advocates have had in order to stop the California DMV from implementing a massive biometrics program, I'm going, I told you so. There, I said it :)

In all seriousness though, this is PRECISELY why we forced this issue into the mainstream and demanded it be debated by the California legislature, with public hearings, BEFORE every Californians license would be forced to include both facial and thumb print biometrics.

As if on que, I found this story today in a number of publications about just how easy it was for hackers to make short work of "super-secure" facial biometrics. Gee, that's funny, all us privacy advocates were JUST being accused of being paranoid Luddites, and now we see there IS good reason to take these things slow.

Check some of my previous posts for the back story on our big biometrics fight here in California. You can also click here to check an article we wrote up on our website.

Daily Tech reports:

The problem with any hot technology in the security world is that the desire to raise a product above the competition seems to invariably lead to boastful claims. Such claims make the technology a high profile target for hackers, and with the bright minds in the field, it takes little time to take many supposedly "unbeatable" countermeasures down. Thus was the case with RFID, recently shown to be extremely insecure, and now it appears that at least some types of biometrics are headed down the same path.


The Vietnamese researchers showed that the tech might not be such a good idea, though, by using multiple means to crack it. The simplest way was to simply use a picture of the person to spoof the webcam into thinking it was the user. Given the ready availability of images on sites like MySpace and Facebook, this seems to be an easy route to access.


The researchers also showed that they could use a brute force attack generating multiple random fake faces to eventually gain access, for lack of a picture to use the easier route. States Profesor Duc in his paper on the hack, "The mechanisms used by those three vendors haven't met the security requirements needed by an authentication system, and they cannot wholly protect their users from being tampered."

He continues, "There is no way to fix this vulnerability. ASUS, Lenovo, and Toshiba have to remove this function from all the models of their laptops ... [they] must give an advisory to users all over the world: Stop using this [biometric] function."

So, photoshop has defeated biometrics! My only point is before we jump head first into the brave new world of biometric systems - which have been touted as the next big thing in computer security - we might want to take notice of the fact that some of them—fingerprint scanners, and now facial ones - have proven to be incredibly easy to bypass.

By the least, it appears they need a little more time, certainly more than we've all been led to believe. One day, perhaps it will be the security scanner of choice, for now, I think the DMV can make due with the old fashioned way...and somehow I think we'll all be just fine.

No comments: