<<< Date Index >>>     <<< Thread Index >>>

[SVRT-07-08] Vulnerability in Face Recognition Authentication Mechanism of Lenovo-Asus-Toshiba Laptops



VULNERABILITY IN FACE RECOGNITION AUTHENTICATION MECHANISM
                              LENOVO-ASUS-TOSHIBA LAPTOPS

1. General Information

Face Recognition feature is provided by Asus, Lenovo and Toshiba as specialized software that is issued together with their laptops. This feature is embedded into all laptop families having webcams and supporting Windows Vista, XP operating system. Owners of laptops benefiting from this technology do not have to type in their passwords or use their fingerprint but to sit in front of their laptops to login.

Face-recognition is introduced by these vendors as a remarkable feature which helps prevent unauthorized people breaking into laptops and ensure information security for their owners.

Details : http://security.bkis.vn/?p=292
SVRT Advisory : SVRT-07-08
Initial vendor notification :  20-11-2008
Release Date : 08-12-2008
Update Date : 08-12-2008
Discovered by : SVRT-Bkis
Attack Type : Authentication Mechanism Bypass
Security Rating : Critical
Impact : Loss of Confidentiality and Integrity
Affected Software : Lenovo Veriface III (prior version is vulnerable)
Asus SmartLogon V1.0.0006 (prior version is vulnerable) Toshiba Face Recognition 2.0.2.32 (prior version is vulnerable)

Video demo: http://security.bkis.vn/Proof-of-concept/Face_Recognition/FaceRecognitionBypassing_DemoVideo.wmv

2. Technical Description

After 4 months researching on Face Recognition technology apply on laptop, Bkis, Vietnam, has come to a conclusion that the User Authentication Mechanisms Based on Face Recognition of Asus, Lenovo and Toshiba haven't met security needs.

Bkis research show that the Authentication Mechanism Based on Face-Recognition of these 3 laptop vendors can all be bypassed, even when set at highest security level.

In order to make use of this technology, a laptop's owner uses webcam to capture his or her face at a close distance and at different viewpoints. This step helps the laptop to "remember" facial characteristics of its owner, and store these data in the face database. Bkis's research, however, show that an unauthorized person can easily regenerate suite of fake face recognition to bypass the authentication mechanism.

Performing tests on laptops with 1.3 Megapixel camera produced by Lenovo - Asus - Toshiba, using the Bypass Model above with special photos or videos of some users, we have been able to pass the User Authentication Based on Face Recognition and log into user accounts on Windows Vista without difficulty.

All the applications tested are of their latest versions and are set to Highest Security Level.
- Lenovo Veriface III
- Asus SmartLogon V1.0.0005
- Toshiba Face Recognition 2.0.2.32

3. Solution

In the mean time waiting for this vulnerability to be fixed, Bkis recommends that users all over the world stop using face authentication to log in their laptops.

Credit
Thanks Le Nhat Minh, Nguyen Minh Duc, Bui Quang Minh, Le Minh Hung.

----------------------------------------------------------------
Security Vulnerability Research Team (SVRT-Bkis)

Bach Khoa Internetwork Security Center (Bkis)
Hanoi University of Technology (Vietnam)

Office: 5th Floor, Hitech building - 1A Dai Co Viet, Hanoi, Vietnam
Tel: 84.4.38 68 47 57 Ext 128
Mobile: +84 983 60 99 20
Email: svrt@xxxxxxxxxxx
Website: www.bkav.com.vn
----------------------------------------------------------------