Iphones are not the only one with issues
By DRP; Cybersecurity Lab Engineer
The consumer’s focus, and subsequently manufacturer’s, has been with ease of use for their products. This continues to be a selling point. One area within this real is facial recognition. Other biometric measures, including iris, fingerprinting, and other tools, have been in use at facilities of differing levels of security for over a decade.
This aspect of applied security is one of the newer applications for security. Facial recognition is touted as a more secure option for the consumer’s smartphone. In particular, this was implemented with the Samsung S8 and S8t.
Nearly all consumers are relatively familiar with the operations of this security application. This operates as the user picks up the phone, looks at the phone, the phone with its front-facing camera authorizes the user with this image. In essence, the user acts as though they are taking a selfie. After this, the user begins to use the phone as anyone else would. This solution provides a secure device and security.
This aspect of security is utilized with the phone’s intelligent agent Bixby and e-commerce mobile payment app Samsung Pass. In theory, this allows for greater user experience. The user is not required to remember the password, does not have to worry about fat-fingering the digits, and don’t have to worry about bricking the phone.
With this tool, the primary use is to unlock the phone. This is not a new tool or a nuance to present technology. This functionality is well-known and used in other venues. Although intended to improve the user experience (UX), it has the potential to be a bit creepy. This, as noted, is exceptionally useful for the user’s ease. There are other unintended uses. The algorithm and results for facial recognition are stored locally but are accessible. In theory, this could be downloaded. This could be then used by facial recognition in the public or governmental applications. This may be used to identify who was near a crime scene or persons who look like persons who were near a crime scene. A person could be included with a group of deviants, due to them appearing to have 90% of the traits of a person of interest.
Compromising the new security features
As this was a new use case, the researchers took this as a challenge. A simple test for this to bypass the security was to place a photo in front of the subject camera at the correct angle to act as a proxy for the person’s real face. To demonstrate the ease of this, the researchers could have used a picture from social media on another phone and place the two proximate to each other. The net effect of the ease of compromising the phone along with the data the attacker would then have access to is problematic.
All is not lost
The issue itself is rather troublesome. The user is not required to apply this function to the phone, thus it may be prudent to use other security features in tandem. One of these options would be to use the PIN and/or reformat this from the numbers to an alpha-numeric code. In short, it may not be prudent to only use the facial recognition given its issues in this use case.
Ducklin, P. (2017, April 3). Facial recognition of Samsung’s new phone has already been cracked. Retrieved from https://nakedsecurity.sophos.com/2017/04/03/facial-recognition-on-samsungs-new-phone- has-already-been-cracked/
Gruman, G. (2017, April 4). What you should really expect from Samsung’s facial recognition. Retrieved from http://www.infoworld.com/article/3186697/identity-management/what-you-should-really-expect-from- samsungs-facial-recognition.html
Khandelwal, S. (2017, March 30). Samsung galaxy s8’s facial unlocking feature can be fooled with a photo. Retrieved from http://thehackernews.com/2017/03/samsung-galaxy-s8-facial-unlocking.html
About the Author
DRP began coding in the 1980’s. Presently DRP is a Cybersecurity Lab Engineer at a Tier One supplier to the automobile industry. DRP is presently completing the PhD (Information Assurance and Security) with completing the dissertation. DRP’s interests include cryptography, SCADA, and securing communication channels. He has presented at regional InfoSec conferences.