Vietnamese security firm: Your face is easy to fake
During demonstration, company shows that face recognition-based authentication in laptops from Lenovo, Toshiba, and Asus may not be an effective security measure.
Updated at 1:14 p.m. PST Friday, December 5 with comment from Lenovo.
Editor's note: CNET editor and Crave contributor Dong Ngo is spending the month of December in his homeland of Vietnam and plans to file occasional dispatches chronicling his impressions of how technology has permeated the culture there. Click here for more of Dong's stories from abroad.
HANOI, Vietnam--Regardless of what some people seem to think, we Asians do not all look the same. But according to the current face recognition algorithm used in laptops, our faces are all about as flat as a piece of paper.
That's according to BKIS, the Vietnamese Internetwork Security Center that makes the antivirus software I mentioned in a blog post Monday. At a press conference here Tuesday, the company demonstrated vulnerabilities in laptops' face recognition-based authentication mechanisms that let anyone log in to a computer easily with a "special" photo of the legit owner, even at the highest authentication level.
Using your face as the password to log in to a computer--an alternative to the fingerprint method or the traditional username and password--marks a new trend found in laptops from Lenovo, Asus, and Toshiba. As far as I know, only these three vendors currently offer this technology in their laptops. These computers come with a built-in Webcam that's used to capture and analyze faces.
I've been impressed by this new way to log in and have found it to be so much more convenient than the fingerprint reader of my Dell XPS 1330. The finger scanner is a pain when my finger is wet or dirty. Unfortunately, on Tuesday I discovered that this new and exciting technology may not be such an effective security measure.
I participated in a demonstration on a Lenovo Y430, running Windows Vista, and here's how it panned out:
First, I enrolled myself as a legit user of the computer. The process was fairly fast and straightforward. The laptop's Lenovo Veriface III authentication software scanned my face for some prime spots, including my eyes, presumably to make sure it can recognize my face regardless of which angle I look at the Webcam from.
Once the enrollment was done, I was able to log in quickly with my face. The machine took less than a second to recognize me. Very nice.
After that, I engaged in a Skype video chat with a BKIS technician. At the other end of the chat section, the technician silently captured my face. This took just a few seconds. My involvement in the demonstration was now done.
About five minutes later, the technician produced a rather unflattering picture of me on a piece of letter-size paper. I could hardly agree that it was my mug on the photo. Nonetheless, when used in front of the laptop's camera, the Y430's authentication software was happy enough with the photo and logged in within a second. Pretty scary.
In addition to the Lenovo Y430, BKIS also showed that the same thing can be done with two demo laptops from Asus and Toshiba. It charged that all laptops from these vendors currently equipped with the technology are similarly vulnerable.
BKIS says it informed all three related vendors about the findings and invited them to the demonstration. However, none showed up. I tried to contact Toshiba and Asus representatives in Vietnam, but so far have been unable to reach them. On Wednesday, a Lenovo representative from Singapore offered this comment:
"Face recognition technology is offered as an alternative security option for consumers who would like the convenience of not having to remember yet another password. Our advice to concerned consumers is to take basic safety measures to limit their vulnerabilities--store your notebook securely...Like all technologies, early adoption reveals initial issues that are improved over time, and Veriface, which is only used in our consumer range of notebooks, continues to be upgraded."
Getting back to the pictures, it's important to note that not any photos of a legit user's face will do. Duc Minh Nguyen, BKIS' manager of application security department, said the photo doesn't have to be high quality. It does, however, need to be processed in a very particular way, mostly to enhance certain key points of the face and adjust contrast level to match the "expectation" of the face recognition algorithm.
For security reasons, the actual key points and the particular enhancement were not announced to the public. However, my take is that the use of these photos is probably possible because the authentication software looks at the face as a 2D object, instead of a 3D one. This makes each face much less unique than it actually is.
This is not the first time BKIS has discovered security holes. Recently, the center alerted Microsoft to the vulnerability in Windows Media Encoder 9 and turned up the latest vulnerability in Chrome.
Quang Tu Nguyen, BKIS' director, said these face recognition vulnerabilities are very hard to fix without making the log-in process significantly less easy to use, which defeats the purpose of the technology. For now, he advised owners of these laptops to use the traditional username and password authentication method--or just don't not to trust the computer with sensitive information.
Whether face recognition authentication is actually useless, we'll have to wait to see. In the meantime, I guess I'll just have to continue to keep my finger clean and dry at all times.
