Biometric Hacking: Even Your Face is Hackable

The ability to confirm a user’s identity with facial recognition may seem like the most effective and reliable method of authentication in today’s world. But researchers in China have proven that even biometric authentication is not infallible, or un-hackable.

Through a course of experiments, researchers from Tencent Security’s Zuanwu Lab in China determined that the ability for facial recognition technology, such as Apple’s FaceID, to reliably authenticate that the actual user is not only present but conscious or even alive can be faked. (Tencent Security is a unit of Tencent Holdings Ltd., Shenzhen-based conglomerate with a market value of more than $500 billion, which includes subsidiaries that sell online services and products, create entertainment, and develop technology all over the world.) At last month’s Black Hat USA conference in Las Vegas, a computer security symposium for hackers, corporations, and government agencies around the world, Zhuo (HC) Ma, a researcher for Tencent Security, described how he and the rest of his team were able to trick the biometric protocols which are designed to determine that the legitimate and live user is accessing their device or data.

So-called “liveness detection” is necessary to ensure that the biometric authentication is not validating a picture or video of the actual legitimate user or even a user who might be dead, unconscious or otherwise incapacitated. Hence, biometric liveness detection often incorporate checking the body temperature in fingerprint scans or potential playback reverberation in voice recognition, and looks for blurriness or distortion and feature-matching in facial recognition.