[SVRT-07-08] Vulnerability in Face Recognition Authentication Mechanism of Lenovo-Asus-Toshiba Laptops
VULNERABILITY IN FACE RECOGNITION AUTHENTICATION MECHANISM
LENOVO-ASUS-TOSHIBA LAPTOPS
1. General Information
Face Recognition feature is provided by Asus, Lenovo and Toshiba as
specialized software that is issued together with their laptops. This
feature is embedded into all laptop families having webcams and supporting
Windows Vista, XP operating system. Owners of laptops benefiting from this
technology do not have to type in their passwords or use their fingerprint
but to sit in front of their laptops to login.
Face-recognition is introduced by these vendors as a remarkable feature
which helps prevent unauthorized people breaking into laptops and ensure
information security for their owners.
Details : http://security.bkis.vn/?p=292
SVRT Advisory : SVRT-07-08
Initial vendor notification : 20-11-2008
Release Date : 08-12-2008
Update Date : 08-12-2008
Discovered by : SVRT-Bkis
Attack Type : Authentication Mechanism Bypass
Security Rating : Critical
Impact : Loss of Confidentiality and Integrity
Affected Software : Lenovo Veriface III (prior version is vulnerable)
Asus SmartLogon V1.0.0006 (prior version is
vulnerable)
Toshiba Face Recognition 2.0.2.32 (prior
version is vulnerable)
Video demo:
http://security.bkis.vn/Proof-of-concept/Face_Recognition/FaceRecognitionBypassing_DemoVideo.wmv
2. Technical Description
After 4 months researching on Face Recognition technology apply on laptop,
Bkis, Vietnam, has come to a conclusion that the User Authentication
Mechanisms Based on Face Recognition of Asus, Lenovo and Toshiba haven't met
security needs.
Bkis research show that the Authentication Mechanism Based on
Face-Recognition of these 3 laptop vendors can all be bypassed, even when
set at highest security level.
In order to make use of this technology, a laptop's owner uses webcam to
capture his or her face at a close distance and at different viewpoints.
This step helps the laptop to "remember" facial characteristics of its
owner, and store these data in the face database. Bkis's research, however,
show that an unauthorized person can easily regenerate suite of fake face
recognition to bypass the authentication mechanism.
Performing tests on laptops with 1.3 Megapixel camera produced by Lenovo -
Asus - Toshiba, using the Bypass Model above with special photos or videos
of some users, we have been able to pass the User Authentication Based on
Face Recognition and log into user accounts on Windows Vista without
difficulty.
All the applications tested are of their latest versions and are set to
Highest Security Level.
- Lenovo Veriface III
- Asus SmartLogon V1.0.0005
- Toshiba Face Recognition 2.0.2.32
3. Solution
In the mean time waiting for this vulnerability to be fixed, Bkis recommends
that users all over the world stop using face authentication to log in their
laptops.
Credit
Thanks Le Nhat Minh, Nguyen Minh Duc, Bui Quang Minh, Le Minh Hung.
----------------------------------------------------------------
Security Vulnerability Research Team (SVRT-Bkis)
Bach Khoa Internetwork Security Center (Bkis)
Hanoi University of Technology (Vietnam)
Office: 5th Floor, Hitech building - 1A Dai Co Viet, Hanoi, Vietnam
Tel: 84.4.38 68 47 57 Ext 128
Mobile: +84 983 60 99 20
Email: svrt@xxxxxxxxxxx
Website: www.bkav.com.vn
----------------------------------------------------------------