International. Computer scientists at China's Tencent Security Xuanwu Lab have discovered ways to trick the classic biometric authentication process into mistakenly approving access to devices by unauthorized users.
Biometric authentication is one of the fastest growing segments in the security industry. It uses facial recognition, fingerprint recognition, handwriting verification, hand geometry, retina and iris scanner for user identification. It is seen as an improvement over two-factor authentication, which is vulnerable to brute force attacks, phishing, or third-party login processes.
Along the way, computer scientists created a technique they refer to as "life detection," which is essentially the act of differentiating a space of live and non-living features. The algorithm takes into account various combinations of human physical traits that collectively determine whether the individual present is alive, countering imposters trying to avoid defenses by introducing a large amount of falsified biometrics into the system.
These findings were shared publicly by Xuanwu Lab researcher HC Ma at a 2019 BlackHat USA conference in Las Vegas.
Researchers at Xuanwu Laboratory were able to exploit a flaw in a life detection algorithm that allowed them to compromise a biometrics-based login or password recovery feature and then log into a target's account remotely by injecting fake video or audio streams that were generated from a face photo or a short phone recording.
The Xuanwu Lab team also resorted to very low-tech tactics to carry out a very high-tech prank. They demonstrated how they successfully obtained the facial recognition features of a smartphone to unlock a protected device. They only needed to record manipulated photos of eye images in a pair of ordinary glasses that were placed over the face of a sleeping victim to bypass the attention detection mechanism of the device's FaceID functions.
According to Ma, they were able to modify the glasses "in less than 2 minutes."
Source: Symantec.
Leave your comment