Criminals could fool biometric security with fake faces
You’ve seen it in Mission: Impossible – agents in disguise evade high-tech security before peeling off their latex ‘‘faces’’ to reveal their true identities.
Now experts are warning that criminals could pull off similar stunts, using photos lifted from social media to order 3D-printed masks capable of tricking biometric systems.
Matt Lewis, research director of NCC Group, a cybersecurity company in London, bought a mask of his own face for £250, sending three photos from his Facebook profile to a company that renders faces in three dimensions and prints them in resin.
ThatsMyFace, based in Oregon, can use predictive software to model a 3D likeness from even one face-on photograph. The masks, which are marketed as novelty items for partygoers, can be delivered within days.
Wearing his false face, Lewis was able to gain access to Android phones with the latest facial recognition unlocking, as well as apps that use face ID.
He said it was likely that the masks could also trick some systems used to gain access to buildings, and could be used to unlock some countries’ border controls.
‘‘Businesses aren’t deliberately making masks to spoof biometrics, but the fact that the masks can trick commonly used systems shows the challenge security companies face.’’ Businesses aren’t deliberately making masks to spoof biometrics, but the fact that the masks can trick commonly used systems shows the challenge security companies face.
Researchers have shown how early facial recognition systems could be fooled by holding up photographs to the camera. The masks could be used to trick more recent systems that scan for facial depth.
Biometrics, including fingerprints and voice and facial recognition, is being used increasingly widely in security because of its convenience compared with passwords and its perceived strength as a unique personal identifier. Facial recognition unlocking is available on Android phones, and there are rumours that Apple will introduce it to unlock the iPhone 8, replacing fingerprint scanning.
Flaws have been found in several systems, not only facial recognition. Real-life security breaches have included South Koreans entering Japan using false fingerprints.
Experts said that despite NCC’s findings, better biometric systems detected ‘‘liveness’’ in various ways to distinguish between people and synthetic props.
For example, thermal imaging could be used to tell a real face from a mask. Some facial recognition systems include iris scanners that register tiny contractions of the pupil.
Robert Capps, of Nudata security, a biometrics company, said: ‘‘Biometric technology for commercial purposes is much more sophisticated than you’d find on consumer devices. Most have liveness checks that even a 3D-printed mask is unlikely to fool.’’