How Virtual Reality and Facebook Photos Helped Researchers Hack Biometric Security

Years ago, holograms were considered science-fiction. Things have changed. Within recent memory, we’ve gone from seeing well-loved, but deceased, cultural icons appearing onstage at music awards, to CEOs attending big meetings in holographic form. Obviously, our ability to project ourselves through virtual reality across the globe has evolved. But so are the security consequences of being able to do so.

Those consequences were on display earlier this month at the Usenix security conference, a yearly security symposium aimed at highlighting cybersecurity issues in new technology. During this year’s conference, researchers from the University of North Carolina demonstrated how life-like animations of faces could be used to trick facial recognition.

To achieve this, WIRED reports, the researchers used technology similar to virtual reality and a few borrowed photos from volunteers. (While volunteers willingly gave the researchers permission, the photos were acquired in a similar fashion to how cybercriminals would acquire them, according to WIRED.) This technique cracked several security systems tested.

As far as new technology goes, this isn’t unexpected. Fledgling technologies will almost always have vulnerabilities and pitfalls during their early days. As always, security researchers are best equipped to discover the security issues embedded in these technologies.

In this particular case, researchers used the virtually-stolen photos to create fake faces with readily available 3D rendering and animation software. They then blended the photos and animated the 3D images to trick facial recognition programs into thinking the fake images had both motion and depth (right down to blinking and smiling) — measurements these programs check for while scanning a face.

It’s a great reminder that it’s trivial to steal high-quality photos of someone today. Even from multiple angles, which this theoretical attack requires. Crooks could simply browse your Facebook, LinkedIn and other social media profiles. As simple as it is to carry out, this form of vulnerability is a bit tricky to defend against. After all, having an online presence is important for both social and career purposes, and even the most cautious posters can’t always guarantee a nonexistent digital-footprint.

Alarming? Sure. But few should worry: the attack is too complicated, and too time consuming, for most cybercriminals to bother with. A lot of preparation — and background knowledge — is needed to successfully replicate this theoretical attack. That fact significantly narrows the number of people who may be at risk. Additionally, these vulnerabilities have been flagged to cybersecurity firms — firms who want to see this technology succeed. Fixes to these issues will be on their way shortly.

Given this research, we should take the opportunity to revisit two issues relevant in today’s digital world. First, as discussed above, maintaining a level of privacy online is important not only as a matter of lifestyle, but also as a matter of security. Our photographs are now connected to our profiles and, by extension, our security. Second, technology isn’t a one-and-done thing. New innovations in everyday devices, services, and security takes time to perfect. Biometric security and similar innovations are no different.

With that in mind, here are three tips for practicing biometric security:

  • Limit your online exposure. Make sure you set your social media preferences to “private.” This way you’ll protect the images of not just yourself, but also of your loved ones. Always check your social media website of preference for privacy options. Avoid uploading images to those without them.
  • Use comprehensive security. Good security requires a good deal of preparation—and a comprehensive approach works best. By using a comprehensive security solution, like McAfee LiveSafe™, you’re expanding your protection level across devices.
  • Use multi-factor authentication. There are a few tried and true methods to protect yourself online. Two-factor and multi-factor authentication — where a service requires verification through something you know, like a password or PIN, and something that you have, like a smartphone — is one of the more reliable security methods out there. Check the services you use online, and see if it’s available for account authentication.

And, of course, stay on top of the latest consumer and mobile security threats by following me and @IntelSec_Home on Twitter, and ‘Like’ us on Facebook.

gary