by Alejo Moles & Gabriel Gonzalez
In our Biometric Testing Facility, we have conducted a large number of security assessment of both 2D and 3D-IR Based face authentication algorithms.
In this post, we introduce our Face Recognition Research whitepaper where we analyzed a number 2D-based algorithms used in commercially available mobiles phones. We successfully bypassed the facial authentication security mechanism on all tested devices for at least one of the participating subjects.
If you want to have a better understanding of the environment and type of tests performed to achieve these results, please refer to the following document: Face Recognition Research
Tested Devices
The devices used in this research were a Samsung Galaxy S10+, OnePlus 7 Pro, VIVO V15 Pro, Xiaomi Mi 9, and Nokia 9 Pure View with the characteristics shown below.
Device Model |
OS Version |
Build Number |
Resolution |
Focal Length |
Aperture |
Samsung S10(+) |
Android 10/ One UI 2.1 |
6975FXXU7CTF1 |
10MP |
35mm |
f/1.9 |
OnePlus 7 Pro |
Android 10/ Oxygen OS |
10.0.7.GM21BA |
16MP |
25mm |
f/2.0 |
Nokia 9 Pure View |
Android 10 |
00WW_5_13D_SP01 |
20MP |
1.0µm |
f/2.0 |
Xiaomi Mi 9 |
Android 10/ MIUI 11.0.6 |
QKQ1.190825.002 |
20MP |
0.9μm |
f/2.2 |
Vivo V15 Pro |
Android 10/ Funtouch OS_10 |
PD1832F_EX_A_6.19.9 |
32MP |
X |
f/2.0 |
Test Parameters
Subjects
We used subjects of various ethnicities: two Asian (male and woman), two African American (male and female), and one Caucasian (male).
Note that while we have subjects of three different ethnicities, the sample size is not sufficiently large enough to conclusively identify a statistically significant causal relationship between ethnicity and success rate.
Black-Box 2D Test Results
The following table illustrates the unlock probability observed during black-box testing using the following color code (red: reliable unlock, orange: occasional unlock, green: no unlock)
Subject |
Samsung S10(+) |
OnePlus 7 Pro |
Nokia 9 Pure View |
Xiaomi Mi 9 |
Vivo V15 Pro |
Subject 1 |
|
|
|
|
|
Subject 2 |
|
|
|
|
|
Subject 3 |
|
|
|
|
|
Subject 4 |
|
|
|
|
|
Subject 5 |
|
|
|
|
|
Again, while this sample size is insufficient to produce a statistically significant link between ethnicity and unlock success rate, it does indicate additional investigation is warranted.
Case Study: OnePlus 7 Pro
In addition to the above results, further analysis was conducted on the OnePlus 7 Pro, for the sake of understanding how the different subsystems are glued together. More information can be found in the Face Recognition Research whitepaper
The basic Architecture implements the following basic components:
There are three interesting components that are useful for our goals:
1. App: Each vendor has its own Android application whose main function is to collect images, extract the facial features they consider interesting, and manage all the lock/unlock logic based on an IA model
2. BiometricManager: This is a private interface that maintains a connection with BiometricService.
3. Biometric vendor implementation: This must use secure hardware to ensure the integrity of the stored face data and the authentication comparison.
Looking into the application, we can spot the basis for face detection (full face in the image, quality, brightness, front facing, and opened eyes):
The following excerpt shows the most important part, extracting image features and comparing them to enrolled subject’s facial data.
Continuing our analysis, we find IFaceUnlockNativeService (BiometricManager) which is the interface that will talk to the TEE hardware environment.
Once the match score is received, if it is a positive match and hackerValue is less than 0.95, the check process is completed, and the phone will be unlocked.
Additional Observations
We observed that the code contains numerous log calls. This makes our task easier by disclosing useful information in real time while the phone is evaluating a face, which weren't use during the results shown above.
adb logcat | grep "$(adb shell ps | grep com.oneplus.faceunlock | awk '{print $2}')"
Output:
Conclusions
The use of facial recognition systems has become pervasive on mobile phones and is making inroads in other sectors as the primary method to authenticate the end user of a system. These technologies rely on models created from an image or facial scan and selecting specific features that will be checked in a live environment against the actual user or an attacker. The algorithms need be accurate enough to detect a spoofing attempt, but flexible enough to make the technology useful under different lighting conditions and accommodate normal physical changes in the legitimate users.
As has been shown in this blog post, the technologies behind facial recognition have room for improvement. A number of techniques have been used to successfully bypass these algorithms and there is plenty of room for additional creative attack methods. System architects should carefully consider the risks of employing facial recognition systems for authentication in their systems and evaluate using more robust authentication methods until this technology matures.As has been shown in this blog post, the technologies behind facial recognition have room for improvement. A number of techniques have been used to successfully bypass these algorithms and there is plenty of room for additional creative attack methods. System architects should carefully consider the risks of employing facial recognition systems for authentication in their systems and evaluate using more robust authentication methods until this technology matures.