Windows 10 Facial Recognition Feature Can Be Bypassed with a Photo (bleepingcomputer.com) 95
Windows Hello, the face scanning security feature in Windows 10, has been defeated with the use of a printed out picture. From a report: In a report published yesterday, German pen-testing company SySS GmbH says it discovered that Windows Hello is vulnerable to the simplest and most common attack against facial recognition biometrics software -- the doomsday scenario of using a printed photo of the device's owner. Researchers say that by using a laser color printout of a low-resolution (340x340 pixels) photo of the device owner's face, modified to the near IR spectrum, they were able to unlock several Windows devices where Windows Hello had been previously activated. The attack worked even if the "enhanced anti-spoofing" feature had been enabled in the Windows Hello settings panel, albeit for these attacks SySS researchers said they needed a photo of a higher resolution of 480x480 pixels (which in reality is still a low-resolution photo). [...] Microsoft released updates earlier this month to patch the vulnerability.
As used in Space Quest III (Score:4, Interesting)
I remember the 1989 Game Space Quest III one of the final puzzles before the action sequences for the end game. Was to wonder the cubes of a software company, being a janitor, cleaning the garbage in each cube you walked by. Working your way to the CEO office taking his ID Card, and on the way back going to the photocopier taking his portrait and make a color copy of it. Using his ID Card and the portrait to gain access to the End Game area. As there was a super advance card reader with a face scanner on it.
There were two more puzzle actions, pushing a button to extend a bridge, and using your trash vaporizer to free some software developers from their lime gelatin imprisonment. But those were rather easy.
With this explanation it is easy to tell the game didn't take itself too seriously. And this spoof of a software company was a jab at Microsoft calling it Scumsoft. and the CEO being a kid CEO as Bill gates was considered at the time.
The Face ID Apple has while not perfect seems to have done it better then anyone else. Because they are a hardware company first, they took a hardware approach to the problem, by adding an IR dot projection of your face to aid in matching. Vs. Microsoft and Google who took a software approach using existing hardware try to get a match.
Re: (Score:2)
Just wondering, does the IR dot projection scan slow down with age?
Re: (Score:2)
You need a 3d scanner (Score:3, Insightful)
To start scratching real facial recognition
Re: (Score:1)
Shouldn't a video be able to interpret enough 3d with a little motion?
Two words (Score:2)
Shouldn't a video be able to interpret enough 3d with a little motion?
Live Photo.
Or any other brief video clip of the person can be played back to easily bypass a system that relies on motion in a camera.
Re: (Score:1)
So add a captcha like feature : The authenticator asks the user to perform certain actions in randomized order. e.g. lean forward, look up, pause, look left, look forward, wink left eye, smile, stick tongue out, raise eyebrow like The Rock.
Re: (Score:2)
Or any other brief video clip of the person can be played back to easily bypass a system that relies on motion in a camera.
That sounds much more difficult than printing the person's picture.
Re: (Score:2)
That sounds much more difficult than printing the person's picture.
Printing a persons pictures is actually much more difficult these days than taking a brief video or picture from your phone, then re-playingit for the login camera. All iPhone photos by default are short video clips too, so...
Re: (Score:2, Insightful)
I can deal with 3 year of Pence as president. While not my choice and I have political issues with him, at least he will work for the American public.
Ask all us Indianians about that...
waiting for DNA sequencing authenetication (Score:1)
spit into this tube to log into your computer
you just know someone will try jack off into it
Re: (Score:3, Funny)
> spit into this tube to log into your computer
> you just know someone will try jack off into it
(oldie but goodie):
One day Bill complained to his friend that his elbow really hurt. His friend suggested that he go to a computer at the drug store that can diagnose anything quicker and cheaper than a doctor.
''Simply put in a sample of your urine and the computer will diagnose your problem and tell you what you can do about it. It only costs $10." Bill figured he had nothing to lose, so he filled a jar wi
Re: (Score:1)
Missing step (Score:4, Interesting)
What does "modified to the near infrared spectrum" mean?
My printer can't print "near infrared" or radio waves. It can't even print gamma rays.
Re: (Score:2)
What does "modified to the near infrared spectrum" mean?
My printer can't print "near infrared" or radio waves. It can't even print gamma rays.
Infrared ink could come in handy in cold climates. I think Newspapers should start printing papers in infrared ink to help the homeless people keep warm.
Re: (Score:2)
You know how printing red works, right? It prints a pigment or dye that reflects red light. Your printer does not print red light wavelength radio waves.
This is the same thing, except the ink is reflective in the near infrared range.
Re: (Score:2)
Someone give that man some mod points.
Such a dumb idea! (Score:4, Insightful)
Re: (Score:3)
60's scifi writers?
Re: (Score:2)
No, good ones used it, too. Typically, they used it with advanced AI that can tell real people from paper, though.
Re:Such a dumb idea! (Score:5, Insightful)
How about everyone? After all, when was the last time you started a conversation with someone you know by asking someone to authenticate their identity, rather than recognizing who they were and talking to them like normal? These companies are attempting to mimic the way things work in reality, which, generally speaking, is a good thing...when it’s done right.
Re: (Score:2)
Key point: don't release a security feature that's not mature enough to be secure.
To be fair, if security features weren't released until they were truly secure than we would have no security features. It is almost impossible for a small group of people in some software development space to think of all the various ways that the general population will come up with to defeat your security feature.
Re: (Score:1)
Re: (Score:2)
How about everyone? After all, when was the last time you started a conversation with someone you know by asking someone to authenticate their identity, rather than recognizing who they were and talking to them like normal? These companies are attempting to mimic the way things work in reality, which, generally speaking, is a good thing...when it’s done right.
You beat me to it. We all use visual and auditory recognition all the time and thereby assume we know the identity of the people we talk to.
Re:Such a dumb idea! (Score:4, Interesting)
Actually, in-person, we may use facial-recognition to *identify* a person, but never to authenticate their request. For that, we use a signature -- because no one can accidentally give their signature, and we all understand that my signature means you can act, everything else is merely conversation.
The problem here is that the digital facial recognition isn't being used to populate "Hello Jonathan". It's being used to accept commands like "reveal private information", "spend money", "install software", "delete everything".
In the digital world, we like to put the major security up-front (the login credentials), and then the brief security last-minute (the are you sure confirmation). In the real world, we use brief security (you're here to close your account?) at the start of the conversation, and the major security (sign this waiver) at the last minute.
That's because in the real world, getting past the front door gives you physical access, but doesn't really grant you control over anybody. Sure you can steal trinkets, but you can't command someone to do something.
The signature has two benefits. The first is as mentioned above -- we know it means "go". The second is that it is VERY illegal to forge someone else's signature. There are real consequences to that. So it's not something to worry about.
The awesome thing about a password (in theory, of course) is that no one can get it from you without your willingness to give it to them. It's not written anywhere, except in your head, and we've yet to figure a way to read someone's brain memory. Pick the right password, protect it properly, and you needn't worry.
My face, my fingerprints, my dna, my iris, are all scattered around the world, everytime I touch something, go somewhere, or look at something. That's why those things are so great for forensics -- it's very difficult to avoid leaving them as evidence.
Passwords (in theory) are far better. Come up with a type/method/system of password generation/management/transmission, and they'll be infinitely better than anything else imaginable.
Re: (Score:2)
You make some really great points, especially regarding the flipped security prompts between the real and digital worlds, as well as the benefits that passwords provide. And I agree as well that I glossed right over the distinction between identification and authentication, so thank you for calling attention to that. That said, while I heartily agree with most of your overarching points, let me quibble with some of the specifics of what you said.
For instance, you seem to be suggesting that signatures are go
Re: (Score:2)
I do conflate, almost for a living. But I do so in much that same way that when I circle a word, the circle is made big to be obvious, even though it winds up encompassing other words as a result. Similarly, indicating an angle with a short line is not as obvious as using a long line, and it must be understood that the magnitude of my line is not to scale.
So please allow me to delve into the specifics that you quibbled so well!
You mentioned my desire for an "active" authorization. You and I very much dis
Re: (Score:3)
Worse, how does something like this get past QA?
They're either too dim to consider using an image of the person as a test against the functionality, or literally had someone with decision making powers shrug off the fact that you could do this.
Both cases equally make me scratch my head in wonder.
Re: (Score:2)
Why not? Hell I use it on my laptop. Not everyone needs to secure their device. Hell the pin-code on my mobile is 000000 and that's just to conform with a generic company policy.
It's one of the areas where good enough wins the day.
Re: (Score:2)
It's just fine if it's used for your user ID (which is part of authentication).
Is this really a surprise? (Score:3)
We tried finger print recognition which is also terrible because it is too easy to lift a fingerprint from a victim (or even bypass the finger print scanner in many cases). Anything that is easy to lift/take from the user is inherently insecure: Finger prints (scotch tape/talcum powder will get that from any surface including keyboards and coffee cups), facial recognition (just lift a picture from facebook or any social media site where people often publish high resolution photos, even easier than getting a finger print). Voice print is a LITTLE better but voice patterns have been successfully simulated/recorded from everyday conversation or even YouTube lectures. (techies often love to give these).
There is absolutely NO substitute for a good old fashion typed passwords (even better, in combination with typing sampling for speed/patterns). Even voice passwords are potentially easy to copy with a long or even short range microphone The password is proven most secure because it requires you to look into someone's memory or stand over them and watch them type it, unless of course they use the same password across but that requires more time/research than getting a facial picture or even a fingerprint if you know or work with the victim. Perhaps these could be used IN ADDITION to a password, but should NEVER be a substitute. The key to secure is the remember this old axiom: Security comes at the price of convenience. Without exception. Of course common sense rules like password rotation on a regular basis are essential. It is possible to lift a password I imagine using the amount of body oil on each key or even thermal patterns on a keyboard to lift a password, but look at all the effort/equipment required to do that. It feels like every new biometric security toy is less secure than the last.
Re: (Score:2)
Re:Is this really a surprise? (Score:5, Interesting)
Simple means have been shown to be useful for simple biometrics. Simple means are of much less use when some thought is put into the sensors and how to use them.
The claim that FaceID is easily/cheaply bypassed can be laid to rest after a month where no-one other than the people from Bkav were able to duplicate it without resorting to using the passcode to train FaceID to recognize the 3D model.
As for being fingerprints, I've talked with some police forces lab techs who look for and scan crime scene fingerprints. The vast majority of liftable prints are from the balls of your fingers so don't use them for TouchID.
As anyone who has had their fingerprints taken for whatever reason knows, they only ask for the balls of your fingers though they often roll your fingers to get the sides too. What they rarely take is the ends of your fingers -- because with the exception of your dominant hand index, it is much less common that people leave them as usable prints.
By using just the tip of a a non-index finger for TouchID one it makes it much harder to gain that liftable print but still works fine with TouchID.
Even with people generally using the balls of their fingers with TouchID there have been zero reports of a lifted and duplicated print being used to bypass device security. If it were such a danger, one would expect there to have been at least a one story, but no.
Re: (Score:2)
They're not the same tech. FaceID uses active scanning to construct a 3D map. Windows Hello matches flat pictures - mostly in IR but can add regular camera info to make it harder to spoof. The problem is that it fails back to the easily spoofable IR if the other camera is blocked. I've also read that Windows hello can use 3D cameras but other than for fewer and fewer Xbox-1s people don't have them on their Windows Hello devices.
As for the claim that Windows Hello is able to distinguish between identical twi
Re: (Score:2)
Windows 10 is a bit more complex than the first versions of Android or iPhone face recognition - it actually requires infrared capable cameras (it won't work with just any webcam). The theory behind requiring an IR photo was that is was less susceptible to photograph attacks.
One of the cool demos they do is unlock the machine while wearing glasses, sun glasses or no glasses, or with and without hats. It's really up to the enterprise to configure this fully - you can require multiple authentication methods o
Re: (Score:1)
apparently you didn't read what he said. Requires a near IR photo. Apple fanboy inability to read
So Commercial Facial Recognition Is Crap (Score:2)
Basically, at this point, it's a giant gimmick.
Re: (Score:3)
Its good enough to use for targeted ads. Its good enough to use to guess who is in photos to suggest tags if you are into that.
Its not good enough to be secure. And on some level, it can't be. For logging in it should be used to pre-populate your user name... that's it. It shouldn't login based on that alone, it shouldn't give you full admin access to everything on your PC... that's idiotic.
Any QA at all? (Score:2)
Was this not tested against, at all?
Did they not attempt to circumvent this method with a photo? I write code for a living, and something that's continually running through my mind is "how can this fail or break?" I'm certain there are devs at Microsoft who are similarly afflicted.
So I guess the real question is: Was it tested, and everyone just hoped no one in meat-space would also think
Now you need a photo 1280x1024 (Score:2)
MS probably patched the issue by upping the resolution required. That's the super-enhanced security feature.
You probably don't even need a photo - rather just need one that triggers the geometry math. I'll bet a b&w photo with some edges on it would work - if you understood the underlying algorithm. Think of those "masks" (or makeup) intended to hide you from facial recognition in a crowd, it's the anti-geometry.
This has been the fear of bio-metrics. Cut off a hand or pop out an eyeball. 3D print
Do they ever think things thru? (Score:2)