Researchers spoof FaceID biometric liveness detection with video injection and tape
Researchers from Tencent Security’s Zuanwu Lab have developed successful spoof attacks on biometric liveness detection systems, ranging from placing tape on eyeglasses to video stream injection, Dark Reading reports.
Zhuo (HC) Ma delivered a presentation by himself at Black Hat USA after his associate’s visas were denied, explaining that the team started by looking into the details of biometric authentication and anti-spoofing implementations. Ma notes that previous studies have focused on generating fake audio or video, but any a real attack requires defeating liveness detection.
“With the leakage of biometric data and the enhancement of AI fraud ability, liveness detection has become the Achilles’ heel of biometric authentication security as it is to verify if the biometric being captured is an actual measurement from the authorized live person who is present at the time of capture,” Ma pointed out, as reported by Threat Post.
In one demonstration, Ma showed a method for injecting a video stream into the authentication device in between the optical sensor and the processor. The method requires latency and information loss to be kept low, while avoiding detection. The method would require capturing specific video of the user, and gaining physical control of the device, and is therefore not a practical attack method, Ma says.
A second demonstration relies on the use of 2D imaging by 3D systems to deal with eye glasses. By simulating eyes with points of white tape on a background of black tape, the researchers showed that a sleeping person’s device could be unlocked by placing taped glasses on the person’s face, assuming he or she does not wake up during the attempt.
The demonstrations targeted Apple’s FaceID, so it is not clear whether the same techniques would work on other systems, such as 2D facial liveness technologies. A presentation of a FaceID hack scheduled for a previous Black Hat conference was withdrawn after doubts about whether it could be reproduced, and FaceID has been shown less vulnerable to spoof attacks than some other facial recognition systems.
The researchers suggest that biometric companies could improve liveness detection systems by adding identity authentication for native cameras, and increasing video and audio synthesis detection capabilities.