Americans aren’t yet sold on biometrics when it comes to their digital security, and now, it looks like there’s good reason behind their skepticism. At the Usenix security conference earlier this month, researchers in the security and computer vision fields from the University of North Carolina suggested that all it takes to get past certain facial recognition technology is some Facebook stalking and 3D rendering.
In conducting its research, the UNC team gathered photos of 20 volunteers from online sources — think your Facebook page, LinkedIn profile, and the like. Researchers then created 3D models of the subjects’ faces, added facial animations, and slightly adjusted their eyes to look directly at the camera. If they didn’t have photos that showed a volunteer’s full face, they improvised, recreating the missing parts and even embellishing with shadows and textures. Even though some of the subjects were remarkably hard to track down online (being security researchers themselves), the UNC team was able to use just a few low-resolution photos to create a model accurate enough to fool some facial recognition systems.
In fact, the scientists met with success in four out of the five systems they tried to hack. “We could leverage online pictures of the [participants], which I think is kind of terrifying,” said True Price, a study author who works on computer vision at UNC, in an interview with Wired. “You can’t always control your online presence or your online image.” And apparently, that means that your biometric data is virtually up for grabs.
All five of the systems tested — KeyLemon, Mobius, TrueKey, BioID, and 1D — are available on the Google Play Store and the iTunes Store. While Google previously warned that similar software “is less secure than a PIN, pattern, or password,” as “someone who looks similar to you could unlock your phone,” it may be even easier than previously thought.
You can check out the full details of how the UNC researchers pulled off their hack in their paper, published here.