See your link here
Black Hat DC: Face time
4 comments- TAGS:Asus, Black Hat, face recognition, Lenovo, Toshiba
- IT TOPICS:Laptops & Netbooks, Security
Vendors hate Black Hat. It's a periodic opportunity for hackers to show off in front of their peers, and they make the most of it by breaking everything they can -- spotting security holes in software, hot-wiring hardware, find new ways to sneak onto networks.
As I said, vendors hate it, and their standard response is to deny, deny, deny. That's easier to do when the hackers behave responsibly and don't make it easy for everyone to replicate their hacks. (In 2006, I was suckered by exactly such a denial.)
And that makes corporate IT people unhappy. We don't know whether we're being lied to (again) by vendors, or seeing threats exaggerated by glory-hound hackers, or being put in real jeopardy because a Black Hatter gave everybody a skelton key to systems we thought were secure.
But sometimes we don't mind. Case in point: this week's Black Hat demo of how to break the face-recognition "security" built into laptops from Lenovo, Toshiba and Asus.
And how is it done? You hold a picture in front of the laptop's camera.
You may have to PhotoShop the image a little. Or jiggle it a bit, if the software expects a slightly moving image.
But mainly you just hold the picture in front of the camera. Just like you might expect, after all those years of movies and TV shows in which characters do exactly that sort of thing.
Is this a real security hole? You don't need to see source code or use special equipment to test it. If you think security researcher Nguyen Minh Duc rigged the demo, it's easy enough to replicate.
Chances are, you can hold up a picture in front of a new laptop to log in too.
I'm sure Lenovo, Toshiba and Asus won't be thanking Nguyen Minh Duc for driving a stake through the heart of this very, very bad idea.
But everyone else should. Right after we disable that face-recognition login from every new laptop that offers it.
Print
Email this
Digg this
