Biometric Authentication Under Threat: Liveness Detection Hacking

Biometric Authentication Under Threat: Liveness Detection Hacking

Biometric authentication has been widely used in scenarios such as device unlocking, App login, real-name authentication and even mobile payment. It provides people with a more convenient authentication experience compared with traditional technique like password.

A classic biometric authentication process includes biometrics collection, preprocessing, liveness detection and feature matching. With the leakage of biometric data and the enhancement of AI fraud ability, liveness detection has become the Achilles' heel of biometric authentication security as it is to verify if the biometric being captured is an actual measurement from the authorized live person who is present at the time of capture. Previous research mainly focused on how to generate fake data but lack of systematic survey on the security of liveness detection.

In this talk, we'll introduce our arsenal of attacking liveness detection and show how to apply them to bypass several off-the-shelf biometric authentication products, including 2D/3D facial authentication and voiceprint authentication. Our arsenal includes the following two kinds of weapons:

  • -Injecting fake video or audio streams by evil hardware to hidden attack media
  • -Creating specific recognition scene to trigger the defect of liveness detection algorithm

Make use of above weapons and combinations thereof, we can:

  • -Compromise App's biometric-based login or password recovery function then log in victim's account remotely by injecting fake video or audio streams which generated from a face photo or a short phone recording
  • -Unlock a victim's mobile phone and then transfer his money through mobile payment App by placing a tape-attached glasses (we named it X-glasses) above sleeping victim's face to bypass the attention detection mechanism of both FaceID and other similar technologies.

In addition, we propose a new attack model to log in App remotely based on hardware injection and device ID spoofing.

Presented by