VULNERABILITY IN FACE RECOGNITION AUTHENTICATION MECHANISM LENOVO-ASUS-TOSHIBA LAPTOPS 1. General Information Face Recognition feature is provided by Asus, Lenovo and Toshiba as specialized software that is issued together with their laptops. This feature is embedded into all laptop families having webcams and supporting Windows Vista, XP operating system. Owners of laptops benefiting from this technology do not have to type in their passwords or use their fingerprint but to sit in front of their laptops to login. Face-recognition is introduced by these vendors as a remarkable feature which helps prevent unauthorized people breaking into laptops and ensure information security for their owners. Details : http://security.bkis.vn/?p=292 SVRT Advisory : SVRT-07-08 Initial vendor notification : 20-11-2008 Release Date : 08-12-2008 Update Date : 08-12-2008 Discovered by : SVRT-Bkis Attack Type : Authentication Mechanism Bypass Security Rating : Critical Impact : Loss of Confidentiality and Integrity Affected Software : Lenovo Veriface III (prior version is vulnerable) Asus SmartLogon V1.0.0006 (prior version is vulnerable) Toshiba Face Recognition 2.0.2.32 (prior version is vulnerable) Video demo: http://security.bkis.vn/Proof-of-concept/Face_Recognition/FaceRecognitionBypassing_DemoVideo.wmv 2. Technical Description After 4 months researching on Face Recognition technology apply on laptop, Bkis, Vietnam, has come to a conclusion that the User Authentication Mechanisms Based on Face Recognition of Asus, Lenovo and Toshiba haven't met security needs. Bkis research show that the Authentication Mechanism Based on Face-Recognition of these 3 laptop vendors can all be bypassed, even when set at highest security level. In order to make use of this technology, a laptop's owner uses webcam to capture his or her face at a close distance and at different viewpoints. This step helps the laptop to "remember" facial characteristics of its owner, and store these data in the face database. Bkis's research, however, show that an unauthorized person can easily regenerate suite of fake face recognition to bypass the authentication mechanism. Performing tests on laptops with 1.3 Megapixel camera produced by Lenovo - Asus - Toshiba, using the Bypass Model above with special photos or videos of some users, we have been able to pass the User Authentication Based on Face Recognition and log into user accounts on Windows Vista without difficulty. All the applications tested are of their latest versions and are set to Highest Security Level. - Lenovo Veriface III - Asus SmartLogon V1.0.0005 - Toshiba Face Recognition 2.0.2.32 3. Solution In the mean time waiting for this vulnerability to be fixed, Bkis recommends that users all over the world stop using face authentication to log in their laptops. Credit Thanks Le Nhat Minh, Nguyen Minh Duc, Bui Quang Minh, Le Minh Hung. ---------------------------------------------------------------- Security Vulnerability Research Team (SVRT-Bkis) Bach Khoa Internetwork Security Center (Bkis) Hanoi University of Technology (Vietnam) Office: 5th Floor, Hitech building - 1A Dai Co Viet, Hanoi, Vietnam Tel: 84.4.38 68 47 57 Ext 128 Mobile: +84 983 60 99 20 Email: svrt@bkav.com.vn Website: www.bkav.com.vn ----------------------------------------------------------------