Elvin Gentiles, IOActive Security Consultant, will be presenting ‘Seeing is Not Believing: Bypassing Facial Liveness Detection by Fooling the Sensor‘ on September 26th at this year’s ROOTCON 18 taking place in Tagaytay, Philippines.
Abstract:
Given facial recognition’s continued popularity as a form of identity verification, organizations are grappling with the real threat of facial spoofing attacks, particularly in light of the rapid pace of development in AI and deepfakes. To combat fraudsters, organizations introduced “facial liveness detection” to ensure the end-user is a live person; but can these systems trust the evidence from their own sensors?
This presentation will demonstrate how to bypass facial liveness detection systems on different platforms by fooling the camera/sensor. While previous research in this area has relied on hardware modules, the method demonstrated here leverages open-source software and is simple, free, and not time or resource-intensive. The talk will also cover the tools used, the setup process, and demonstrations of the bypasses using different platforms. The pros and cons of this approach will also be considered, as well as the threats it poses, particularly, how videos posted on social media platforms could help fraudsters abuse this method. The presentation will conclude with recommendations to help organizations combat such an attack.
The main takeaways from this research are:
– How easy it is to bypass facial liveness detection using publicly and readily available tools
– How fraudsters could use what is posted on social media platforms
– How this attack could be mitigated for organizations to improve their algorithms/detection, and inform users on what to look for when choosing an identity verification provider.
The main objective of this topic is to provide awareness to users about the risk involved with posting their videos on social media platforms and inform organizations on how easy to bypass facial liveness detection to improve their systems.