VULNERABILITY IN FACE RECOGNITION AUTHENTICATION MECHANISM
                               LENOVO-ASUS-TOSHIBA LAPTOPS

1. General Information

Face Recognition feature is provided by Asus, Lenovo and Toshiba as 
specialized software that is issued together with their laptops. This 
feature is embedded into all laptop families having webcams and supporting 
Windows Vista, XP operating system. Owners of laptops benefiting from this 
technology do not have to type in their passwords or use their fingerprint 
but to sit in front of their laptops to login.

Face-recognition is introduced by these vendors as a remarkable feature 
which helps prevent unauthorized people breaking into laptops and ensure 
information security for their owners.

Details : http://security.bkis.vn/?p=292
SVRT Advisory : SVRT-07-08
Initial vendor notification :  20-11-2008
Release Date : 08-12-2008
Update Date : 08-12-2008
Discovered by : SVRT-Bkis
Attack Type : Authentication Mechanism Bypass
Security Rating : Critical
Impact : Loss of Confidentiality and Integrity
Affected Software : Lenovo Veriface III (prior version is vulnerable)
                              Asus SmartLogon V1.0.0006 (prior version is 
vulnerable)
                              Toshiba Face Recognition 2.0.2.32 (prior 
version is vulnerable)

Video demo: 
http://security.bkis.vn/Proof-of-concept/Face_Recognition/FaceRecognitionBypassing_DemoVideo.wmv

2. Technical Description

After 4 months researching on Face Recognition technology apply on laptop, 
Bkis, Vietnam, has come to a conclusion that the User Authentication 
Mechanisms Based on Face Recognition of Asus, Lenovo and Toshiba haven't met 
security needs.

Bkis research show that the Authentication Mechanism Based on 
Face-Recognition of these 3 laptop vendors can all be bypassed, even when 
set at highest security level.

In order to make use of this technology, a laptop's owner uses webcam to 
capture his or her face at a close distance and at different viewpoints. 
This step helps the laptop to "remember" facial characteristics of its 
owner, and store these data in the face database. Bkis's research, however, 
show that an unauthorized person can easily regenerate suite of fake face 
recognition to bypass the authentication mechanism.

Performing tests on laptops with 1.3 Megapixel camera produced by Lenovo - 
Asus - Toshiba, using the Bypass Model above with special photos or videos 
of some users, we have been able to pass the User Authentication Based on 
Face Recognition and log into user accounts on Windows Vista without 
difficulty.

All the applications tested are of their latest versions and are set to 
Highest Security Level.
- Lenovo Veriface III
- Asus SmartLogon V1.0.0005
- Toshiba Face Recognition 2.0.2.32

3. Solution

In the mean time waiting for this vulnerability to be fixed, Bkis recommends 
that users all over the world stop using face authentication to log in their 
laptops.

Credit
Thanks Le Nhat Minh, Nguyen Minh Duc, Bui Quang Minh, Le Minh Hung.

----------------------------------------------------------------
Security Vulnerability Research Team (SVRT-Bkis)

Bach Khoa Internetwork Security Center (Bkis)
Hanoi University of Technology (Vietnam)

Office: 5th Floor, Hitech building - 1A Dai Co Viet, Hanoi, Vietnam
Tel: 84.4.38 68 47 57 Ext 128
Mobile: +84 983 60 99 20
Email: svrt@bkav.com.vn
Website: www.bkav.com.vn
----------------------------------------------------------------