If A Phone's Facial Recognition Security Can Be Defeated By A Picture Of A Face, What Good Is It?
from the a-thousand-logins dept
No technology is perfect and facial recognition software is obviously no exception. But whereas law enforcement groups use this flawed technology in too many instances, device manufacturers are beginning to ship out security features that rely on facial recognition software almost ubiquitously. Many might look at this modern technology and imagine defeating it and logging into another person's phone would resemble some kind of Mission Impossible style convolution. Sadly, as proven again recently with the release of Samsung's Galaxy S8, defeating the security feature is laughably simple.
With the public's first exposure to the Galaxy S8 happening a few days ago, it was only a matter of time until one of these biometric solutions had some holes poked in it.
One of those holes is that Galaxy S8's face recognition can be tricked with a photo. At least this is what a video from Spanish Periscope user Marcianophone purports. About 6 minutes into the 40-minute Spanish-language video, you can see the attendee take a selfie with his personal phone, then point it at the Galaxy S8, which is trained to unlock with his face. It only takes a few minutes of fiddling before the Galaxy S8 gives in and unlocks with just a picture, moving from the "secure" lock screen right to the home screen. Once the user dials in his technique, he shows the trick is easily repeatable.
This trick actually goes back quite a ways to earlier versions of the Android OS. Google had attempted to defeat this workaround by requiring users to blink during the facial recognition scan. That was almost immediately defeated by phone-breakers having to have two pictures instead of one, including one with the persons eyes closed and then switching between pictures during the scan. If you aren't laughing as you're picturing this in your head, your sense of humor is broken, because it's fairly hilarious.
Less funny is the obvious question: why bother with this stuff at all if it's so easily defeated? Samsung, to its credit, doesn't allow facial recognition to authorize Samsung purchases. If it's not good enough for that, why should it be good enough to serve as a locking mechanism for the phone at all? Other locks, including other biometric locks, perform far better. Maybe it would be best to table this security feature until it's, you know, secure.
Filed Under: facial recognition, galaxy s8, security
Companies: samsung
Reader Comments
Subscribe: RSS
View by: Time | Thread
No thank you.
[ reply to this | link to this | view in thread ]
Re: convenience feature and not a security feature
There are lots of things for which minimal security is fine - when a breach involves minor consequences you can easily live with.
For other things you need more security. If your phone can transfer away your life savings, for example.
And if your opponent is the NSA you need stronger security than if it's the nosy guy in the next cube at work.
Nobody should expect a single level of security to be right for everyone, or for everything.
Stronger security has costs that you don't want to pay for trivial gains.
[ reply to this | link to this | view in thread ]
[ reply to this | link to this | view in thread ]
[ reply to this | link to this | view in thread ]
In the absence of a threat model, the word secure has no meaning. Not everyone requires bars outside their windows.
If you lost your phone on the street, it's highly unlikely a thief would also happen to have a picture of you to defeat this system.
[ reply to this | link to this | view in thread ]
[ reply to this | link to this | view in thread ]
Re: Re: convenience feature and not a security feature
Ok, that's done it. My head's exploded.
[ reply to this | link to this | view in thread ]
You can change your password, but good luck changing your fingerprints, your iris, your face.
[ reply to this | link to this | view in thread ]
[ reply to this | link to this | view in thread ]
My (then) 11-yo daughter could unlock it half the time by looking at it.
Sure people say "you spit her out" to me, BUT ANDROID SHOULDN'T BE SAYING THAT!
[ reply to this | link to this | view in thread ]
Re: Re: Re: convenience feature and not a security feature
That level of security is a bit excessive don't you think?
[ reply to this | link to this | view in thread ]
Re:
I don't know, a remote explode sounds like a good security measure.
[ reply to this | link to this | view in thread ]
[ reply to this | link to this | view in thread ]
Re: Re: Re: Re: convenience feature and not a security feature
[ reply to this | link to this | view in thread ]
[ reply to this | link to this | view in thread ]
[ reply to this | link to this | view in thread ]
gimmicks
my thought to the letter.
[ reply to this | link to this | view in thread ]
It's the same (or worse) in windows.
He was kinda pissed. I laughed.
[ reply to this | link to this | view in thread ]
Re:
[ reply to this | link to this | view in thread ]
To be nasty, let it ask for the PIN/password regardless of what fingerprint it scanned but too many failed PIN/password attempts with the wrong fingerprint presented would lock out all further attempts.
[ reply to this | link to this | view in thread ]
Probably reason for this./
[ reply to this | link to this | view in thread ]
Re: Re: Re: Re: convenience feature and not a security feature
Sounds about right.
[ reply to this | link to this | view in thread ]
If implemented correctly, after the facial recognition, the phone should ask for a password.
It could even keep checking and close down again when a new face appears.
[ reply to this | link to this | view in thread ]
Re:
The brightest minds in our police department have discovered an amazing, incredible hack. As you know, once a suspect is arrested for resisting arrest, their mugshot is normally taken. Most police departments have someone of sufficient technical skill and capability who are able to somehow use the mugshot to unlock the suspect's phone. That enables the phone to be searched to provide additional basis for the the arrest.
Just thought you would like to know. The federal government may be able to find people skilled enough to use this same sophisticated technique.
Sincerely,
Chief Donut Eater
[ reply to this | link to this | view in thread ]
NSA's detailed instructions to exploit
Not for release to the general public as criminal elements may learn and use the exploit.
Step 1 - hold phone in front of owner
Step 2 - Er...nope. Thats about it.
[ reply to this | link to this | view in thread ]
[ reply to this | link to this | view in thread ]
Worth Considering
While I agree that it's good that Samsung isn't allowing this sort of authentication for financial transactions, I'm not sure we should go so far as to say "don't use it".
Don't forget, it wasn't that long ago that fingerprint scanners were quite the joke. (and to a lesser extent, still can be)
It's going to take time in the real world to refine the techniques for these sorts of systems. You can only do so much in the controlled lab settings, and only a small bit more with in-house testing.
That said, you would think they would have known that someone was going to try the photo thing... it's not like that's a new workaround for facial recognition.
[ reply to this | link to this | view in thread ]
Re:
Why is it so hard for companies to get this right.
If you had ever tried discussing technical issues with a n MBA qualified manager, you would know the answer.
[ reply to this | link to this | view in thread ]
Re:
[ reply to this | link to this | view in thread ]
Re:
It's called taxes.
[ reply to this | link to this | view in thread ]
Re: Re: Re: convenience feature and not a security feature
Yeah, I know....
[ reply to this | link to this | view in thread ]
Funny face
[ reply to this | link to this | view in thread ]
Re:
The very fact that you cannot change your biometrics breaks one of the basic requirements of security. To say nothing of the fact that anyone can grab them from you without needing your help in any way.
[ reply to this | link to this | view in thread ]
Re: Re: Re: convenience feature and not a security feature
You're not paranoid enough. We should assume they have moles working for companies with "interesting" data.
[ reply to this | link to this | view in thread ]
Re: Re: Re: convenience feature and not a security feature
Ummm... no, he could work at the Geek Squad, UPS, ANYWHERE.
[ reply to this | link to this | view in thread ]
Re:
[ reply to this | link to this | view in thread ]
Re: Re:
[ reply to this | link to this | view in thread ]
Re: Funny face
Facial recognition attempts to analyze several generic data points to tell if it's likely the same face looking back at it. This actually describes part of the problem with biometrics. You never get 100% match accuracy, so you're always guessing and accepting some degree of inaccuracy.
[ reply to this | link to this | view in thread ]
what good is it?
[ reply to this | link to this | view in thread ]
Re:
[ reply to this | link to this | view in thread ]
Re: Re: Re: Re: convenience feature and not a security feature
[ reply to this | link to this | view in thread ]
Re: Re: Re: Re: convenience feature and not a security feature
[ reply to this | link to this | view in thread ]
the answer....
[ reply to this | link to this | view in thread ]
Re: convenience vs security
[ reply to this | link to this | view in thread ]
Re:
But most of the population is unconscious. Or at least unthinking, which is the same thing.
[ reply to this | link to this | view in thread ]
Re:
"You can change your password, but good luck changing your fingerprints, your iris, your face."
That's what reincarnation is for. Just hope they don't wipe your mind in the process -- I don't think they've quite got the process down yet.
(1) http://people.com/books/meet-the-boy-who-believes-he-was-lou-gehrig-in-a-past-life-his-mom-is-convin ced-too/ --- because if you can't convince your mom, you're sure not going to convince anyone else.
[ reply to this | link to this | view in thread ]
Re: Re: convenience vs security
That's why the correct solution is to use both.
In fact, that points back to one of the key things people keep saying (and other people seem to miss) about this: biometrics make excellent replacements for usernames, but very poor replacements for passwords.
Require face- or fingerprint-recognition before the device asks for the passcode, then require the passcode before the device actually becomes unlocked. Slightly less convenient than either alone, but aside from that, more or less the best of both worlds.
[ reply to this | link to this | view in thread ]
They're not. Those cameras on stoplights that use these types of technologies (I assume) had her speeding in a state across the country that she'd never been to before.
[ reply to this | link to this | view in thread ]
Re: It's the same (or worse) in windows.
It's quite possible that your friend's laptop is running Lenovo's Veriface software, which only requires a 2D camera. The lack of depth sensing makes it much easier to fool. Similarly, Dell laptops use SensibleVision's FastAccess software, which has the same limitations.
[ reply to this | link to this | view in thread ]
[ reply to this | link to this | view in thread ]
Add Your Comment
Add A Reply