Biometric Authentication Under Threat: Liveness Detection Hacking

Black Hat USA 2019

Presented by: Yu Chen, Bin Ma, Zhuo Ma
Date: Wednesday August 07, 2019
Time: 10:30 - 10:55
Location: Islander EI

Biometric authentication has been widely used in scenarios such as device unlocking, App login, real-name authentication and even mobile payment. It provides people with a more convenient authentication experience compared with traditional technique like password.

A classic biometric authentication process includes biometrics collection, preprocessing, liveness detection and feature matching. With the leakage of biometric data and the enhancement of AI fraud ability, liveness detection has become the Achilles' heel of biometric authentication security as it is to verify if the biometric being captured is an actual measurement from the authorized live person who is present at the time of capture. Previous research mainly focused on how to generate fake data but lack of systematic survey on the security of liveness detection.

In this talk, we'll introduce our arsenal of attacking liveness detection and show how to apply them to bypass several off-the-shelf biometric authentication products, including 2D/3D facial authentication and voiceprint authentication. Our arsenal includes the following two kinds of weapons:

Make use of above weapons and combinations thereof, we can:

In addition, we propose a new attack model to log in App remotely based on hardware injection and device ID spoofing.

Yu Chen

Yu Chen is a security researcher in Xuanwu Lab of Tencent. He received his PhD in information security from University of Chinese Academy of Sciences. His research focuses on frontier security threats, such as deep learning security and biometric security. His works have been published on IPCCC, ICC, IntellSys, WASA, etc. He has received the best student paper award at WASA in 2018.

Bin Ma

Bin Ma is a security researcher in Xuanwu Lab of Tencent. His research focus on system security and application security especially on mobile platform and he has found many popular Apps which affected by Clone Vulnerability. Additionally, some of his research has been accepted by conferences including RAID, IEEE S&P earlier. He has spoken at Black Hat Asia 2019.

Zhuo Ma

HC MA has been doing security research on Windows for about 4 years and mainly focuses on unpacking, algorithm reversing and de-virualization. HC also focused attention on Hardware hacking and firmware reverse-engineering from 2013. In 2015,HC gave a talk on BadBarCode Vulnerability at PacSec'15. In 2017,HC gave a talk on SamsungPay Vulnerability at Blackhat Europe'17. In 2018,HC gave a talk at Zeronights'18.


KhanFu - Mobile schedules for INFOSEC conferences.
Mobile interface | Alternate Formats