All products featured on WIRED are independently selected by our editors. However, we may receive compensation from retailers and/or from purchases of products through these links.
As biometric security systems from companies such as KeyLemon are increasingly introduced to devices, spoofing attacks are becoming more common and sophisticated. The Tabula Rasa project aims to prevent these security breaches
Watch "KeyLemon Photo Attack" on YouTube and you can see how facial recognition software can distinguish between a real person and a photograph of that same person. Then watch "KeyLemon Fooled" and you can see how the software is now fooled by a smartphone recording of a person.
For Giles Florey, nothing better illustrates the constant war between the companies providing biometric security systems and the spoofers who want to break them than these videos of attacks on laptop login systems.
Florey is co-founder and CEO of KeyLemon. There have been more than three million user downloads of their software which provides biometric access logins for PCs, Macs and even cars, and it's one of the hard industrial partners (along with Starlab, Safran Morpho and Biometry) of the European Commission-funded Tabula Rasa project. "For each KeyLemon user there is always a trade-off between convenience and security levels and, depending on the level they want, they can make it easy to spoof using these classic methods or very hard to spoof. That's up to the customer," he said.
Biometrics is the identification of humans by their unique biological characteristics, traditionally using techniques such as fingerprinting, facial recognition and voice recognition, or a combination of them, while "emerging biometrics" can include recognisable traits such as heartbeat and gait. Traditional biometric techniques are vulnerable to direct, or spoof, attacks.
According to Florey the constant evolution of spoofing attacks shows "the real market need" for more research into counter-measures that lie behind the Tabula Rasa Project.
Tabula Rasa may seem like a strange name for a €4.7 million (£3.7 million) European Commission project, involving twelve industry and academic partners, into how to protect our "trusted" biometric security systems (even your laptop login) from an increasing vulnerability to direct attacks, or spoofing. For Sébastien Marcel, Tabula Rasa Project Coordinator at the Idiap Research Institute in Geneva, though, the name was an obvious choice. "Tabula Rasa" means "clean slate" (literally "scraped tablet") in Latin. "I chose the name Tabula Rasa," he explains, "because I set up the project to break the mould or change things, and in the biometric field, especially in academia, the focus has mainly been on recognition algorithms: less attention was given to the problem of how easily the systems can be broken. "So I wanted a radical shift -- to start again -- to clean the slate -- as it has been a problem that has been known for a while but has not received much attention in academia, unlike in industry."
It was shown back in 2002 by engineering professor Tsutomu Matsumoto that the fingerprint recognition system can be broken with artificial "gummy" fingers simply made from gelatine, while in 2009 researcher Duc Nguyen demonstrated at the annual Black Hat hacking conference that you could fool facial recognition systems embedded in some laptops merely by showing them a photograph.
For Marcel, then, Tabula Rasa has two goals: "To be able to check if biometrics are vulnerable to spoofing attacks, and then [to decide] what countermeasures can be put in place." "In the first year we have been putting in place some of the best partners in the world -- including the Chinese Academy of Sciences -- and then we've benchmarked the systems we have by inventing spoofing attacks, carrying them out and measuring their success rate. "Now we know the vulnerability of the systems, in the next year we can develop countermeasures to detect attacks so the biometric systems will be stronger." This will include a two-day international spoofing challenge at the 6th International Biometrics Conference in June 2013 "to try and break the systems we have put in place".
While Marcel cannot go into what these vulnerabilities are owing to their obvious sensitive nature, he points out that it can be very easy to come up with simple countermeasures against, say, spoofing facial recognition systems. "You can decrease vulnerability of facial recognition systems, for example, by including temporal information such as eye movement to help differentiate between a picture and the real person, and then reflection and texture to block any vulnerability to video played on an iPhone or iPad."
However, the project does face challenges, not least because of "the need to discriminate over what's secret and what can't be kept secret", a conflict that arises from the fact that while academics exist in a culture of information "our industrial partners, while they want the best systems ever, don't want to disclose too much information."
Additionally, the privacy laws vary from country to country, which "makes sharing data difficult so you have to go for the best compromise". (Marcel wouldn't comment on whether there were any particular problems sharing data with the Chinese)
Finally there's the budget -- "which isn't a lot for twelve partners".
For Giles Florey, the Tabula Rasa project has been more than worthwhile. "While we didn't wait for the project to find a way to pick up movement like eye blinking in our software, it is nonetheless helping us to optimise existing technologies we have and make them more robust. It is also helping us look at vulnerabilities of technologies that are coming out in the future," he says.
The project has highlighted, for example, how even something as seemingly spoof-proof as voice authentication "can be spoofed" using high-pitched noises that a computer erroneously recognises as a human voice.
In return, an industrial partner like KeyLemon provides Tabula Rasa with more than three million real users for the academics to play with . This is deemed useful since, as Florey puts it, "academics often have great technology but struggle to test it".
While Florey expects the first results from the project to be integrated into new KeyLemon products by the end of summer 2013, KeyLemon will be launching a new product later this year that moves "in the direction of" combined voice and facial recognition in the next step in the ever-escalating war against spoofers.
You can find out more about the European Commission initiative on the Tabula Rasa site.
Image: Shutterstock
This article was originally published by WIRED UK
