Full Disclosure mailing list archives

By Date By Thread Face Authentication Bypassing – KeyLemon From: omarbv () riseup net

Date: Wed, 15 Jun 2016 11:08:17 +0300

Application ----------- KeyLemon offers convenient, secure and continuous biometric authentication solutions based on face and speaker recognition. To improve robustness to illumination and pose, as well as to provide enhanced security against photo/video spoofing attacks, KeyLemon's latest face recognition algorithms take full benefit of 3D depth sense cameras by efficiently combining depth, near-infrared and color information. (Description from the official website https://www.keylemon.com) Vulnerability ------------- Face Authentication Bypassing / Anti-Spoofing Bypassing It is possible to bypass the face recognition software, just using a selfie in the Free version or a gif animation in the Gold License version, even with the recognition accuracy set as high. PoC --- In the first case, for the FREE desktop application, I created a profile in two different scenarios: - bad conditions (wearing glasses and low light) - good conditions (no glasses and great lighting) All I used was an iPhone and the front camera to shoot a selfie, and in both scenarios I was able to enter in my session without problem. Video recorded showing how the FREE version can be bypassed with a selfie: https://www.youtube.com/watch?v=wPuVUj5mRgI In the second case, the GOLD version, I set up the Security Level to high, and selected the anti-spoofing check. There were two different ways to get the blinking "effect": - using a video (with the iPhone front camera I recorded an 8 seconds video) - using a gif (with the iPhone front camera, I shooted two photos: one selfie with eyes open, another selfie with closed eyes and used Best Animation Maker, as GIF maker) Video recorded showing how the GOLD version can be bypassed with a gif or video: https://www.youtube.com/watch?v=pCaEJoch6Zc More information and steps: https://www.omarbv.com/?p=4676&lang=en Affected versions ----------------- KeyLemon 2.7.5 for Mac OS X KeyLemon 3.2.3 for Windows Vista/7/8 (Older versions are also vulnerable.) Timeline -------- 2016-05-24: Initial disclosure to vendor 2016-05-24: Vendor responded with “KeyLemon introduced since version 2.5 antispoofing check feature. This feature requires GOLD package.” 2016-06-06: Vendor was contacted again, regarding the vulnerability in the GOLD version. 2016-06-07: Vendor responded with “In the current case, you are fully cooperating with the system to spoof it. This is similar as if you give your password. In KeyLemon desktop application we decided of a threshold between security and convenience.“ 2016-06-13: Public disclosure Discovered by ------------- Omar Benbouazza www.omarbv.com @omarbv _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/ By Date By Thread Current thread: Face Authentication Bypassing – KeyLemon omarbv (Jun 15)