Biometric Authentication Under Threat Liveness Detection Hacking

Channel:
United States All Hacking Cons
Subscribers:
5,970
Published on ● Video Link: https://www.youtube.com/watch?v=1zrv8miCVnc


Duration: 25:24
75 views
0

Yu Chen | Security Researcher, Tencent Security Xuanwu Lab
Bin Ma | Security Researcher, Tencent Security Xuanwu Lab
Zhuo Ma | Security Researcher, Tencent Security Xuanwu Lab
Location: Islander EI
Date: Wednesday, August 7 | 10:30am-10:55am
Format: 25-Minute Briefings
Tracks: Human Factors, Hardware/Embedded

Biometric authentication has been widely used in scenarios such as device unlocking, App login, real-name authentication and even mobile payment. It provides people with a more convenient authentication experience compared with traditional technique like password.

A classic biometric authentication process includes biometrics collection, preprocessing, liveness detection and feature matching. With the leakage of biometric data and the enhancement of AI fraud ability, liveness detection has become the Achilles' heel of biometric authentication security as it is to verify if the biometric being captured is an actual measurement from the authorized live person who is present at the time of capture. Previous research mainly focused on how to generate fake data but lack of systematic survey on the security of liveness detection.

In this talk, we'll introduce our arsenal of attacking liveness detection and show how to apply them to bypass several off-the-shelf biometric authentication products, including 2D/3D facial authentication and voiceprint authentication. Our arsenal includes the following two kinds of weapons:

-Injecting fake video or audio streams by evil hardware to hidden attack media
-Creating specific recognition scene to trigger the defect of liveness detection algorithm

Make use of above weapons and combinations thereof, we can:

-Compromise App's biometric-based login or password recovery function then log in victim's account remotely by injecting fake video or audio streams which generated from a face photo or a short phone recording
-Unlock a victim's mobile phone and then transfer his money through mobile payment App by placing a tape-attached glasses (we named it X-glasses) above sleeping victim's face to bypass the attention detection mechanism of both FaceID and other similar technologies.

In addition, we propose a new attack model to log in App remotely based on hardware injection and device ID spoofing.

Black Hat - USA - 2019 Hacking conference
#hacking, #hackers, #infosec, #opsec, #IT, #security



Other Videos By All Hacking Cons


2022-01-07DevSecOps : What, Why and How
2022-01-07How to Detect that Your Domains are Being Abused for Phishing by Using DNS
2022-01-07A Compendium of Container Escapes
2022-01-07Cyber Insurance 101 for CISO's
2022-01-07A Decade After Bleichenbacher '06, RSA Signature Forgery Still Works
2022-01-07HTTP Desync Attacks: Smashing into the Cell Next Door
2022-01-07Dragonblood: Attacking the Dragonfly Handshake of WPA3
2022-01-07Cybersecurity Risk Assessment for Safety-Critical Systems
2022-01-07Adventures in the Underland The CQForensic Toolkit as a Unique Weapon Against Hackers
2022-01-07Everybody be Cool, This is a Robbery!
2022-01-07Biometric Authentication Under Threat Liveness Detection Hacking
2022-01-07Hunting for Bugs, Catching Dragons
2022-01-07Exploiting Qualcomm WLAN and Modem Over The Air
2022-01-07I'm Unique, Just Like You: Human Side-Channels and Their Implications for Security and Privacy
2022-01-07All the 4G Modules Could be Hacked!
2022-01-07Exploiting the Hyper V IDE Emulator to Escape the Virtual Machine
2022-01-07Infighting Among Russian Security Services in the Cyber Sphere
2022-01-07All Your Apple are Belong to Us: Unique Identification and Cross-Device Tracking of Apple Devices
2022-01-07Exploring the New World : Remote Exploitation of SQLite and Curl
2022-01-07Firmware Cartography: Charting the Course for Modern Server Compromise
2022-01-07API-Induced SSRF: How Apple Pay Scattered Vulnerabilities Across the Web


Tags:
data
hacker
security
computer
cyber
internet
technology
hacking
attack
digital
virus
information
hack
online
crime
password
code
web
concept
thief
protection
network
fraud
malware
secure
identity
software
access
system
firewall
privacy
binary
account
spy
spyware
hacked
hacking conference
conference
learn
how to
2022
2021
cybersecurity
owned
break in
google
securing
exploit
exploitation
recon
social engineering
Yu Chen
Bin Ma
Zhuo Ma
bimetric
authentication
liveness detection