Android Facial Recognition Feature Defeated by Photo

Monday, November 14, 2011




A video posted on Youtube claims to present a demonstration of how one can defeat Android 4.0's new Face Unlock feature.

The trick? Simply show the enabled device an image of the face it is programmed to detect.

The demonstration posted by SoyaCincau shows the unlocking of a Galaxy Nexus, which was said to be running the Android 4.0 OS, by simply showing the device a digital photo displayed on another smartphone.

Some responses to the demonstration asserted that the phone may have been programmed to recognize the digital image, but the creators of the video have given assurances that is not case, and urge others to try to replicate the flaw.

"While some of you think that it is a trick and I had set the Galaxy Nexus up to recognise the picture, I assure you that the device was set up to recognise my face. I have a few people there watching me do the video and if any one of them is watching this video I hope you can confirm that this test is 100% legit," states the text that accompanies the video demo.

The Galaxy Nexus has not yet been released to the general public, and the demonstration took place at an event where the device was on display.

"I would love to do this test again but I don't have a Galaxy Nexus, it is VERY hard to come by as it is not launched yet, but I urge anyone with a Galaxy Nexus to do the same test. Program the device to recognise YOUR FACE and then try to trick the same device with a similar looking picture, it will work. If anyone does do this test, please tell me so I can link it in this video. Once again people, I know it's just my words right now but this claim is LEGIT," the video's text continued.

According to CNet columnist Elinor Mills, Google was contacted the publication and issued some caveats regarding the experimental nature of the feature:

"A Google representative contacted by CNET said the feature is considered low security and experimental. Even the interface warns users that 'Face Unlock is less secure than a pattern, PIN, or password' and that 'someone who looks similar to you could unlock your phone'".

Mills also writes that an Android developer from CyanogenMod, Koushik Dutta, had pointed out the flaw in the facial recognition feature last month in a Twitter post.

"The face recognition unlock thing is really easily hackable. Show it a photo," Dutta tweeted.

"Nope. Give us some credit," was the reply from the Android team's Tim Bray.

The Next Web picked up on the exchange and wrote that "it was safe to assume that Google wouldn't let its face-recognition technology be bypassed using a photo but this confirms it. Good news for those who were worried about their friends hacking their smartphone by using a Facebook profile photo or something similar."

The lesson here? Don't depend on the Android 4.0's new Face Unlock feature to secure your smartphone until the bugs have been ironed out.


Possibly Related Articles:
PDAs/Smart Phones
Application Security Smart Phone Headlines Android Facial Recognition Mobile Security Face Unlock Android 4.0
Post Rating I Like this!
Darin Beery Fortunately, not all face recognition solutions are the same. Sensible Vision is a leading supplier of authentication solutions. We have sold FastAccess facial recognition solution to over 5.5 million Windows users including many in high security, enterprise institutions. FastAccess has industry leading photo resistance. A sophisticated attack can still defeat virtually all security methods including FastAccess. This is why we it's important to disclose possible vulnerabilities and offer simple and effective solutions. For example, FastAccess offers fast and convenient two factor authentication that eliminates the possibility of a "replay attack" like the one used to defeat the Ice Cream Sandwich solution.
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.