Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Face Authentication Bypassing – KeyLemon

From: omarbv () riseup net
Date: Wed, 15 Jun 2016 11:08:17 +0300
Application
-----------
KeyLemon offers convenient, secure and continuous biometric authentication solutions based on face and speaker recognition.
To improve robustness to illumination and pose, as well as to provide enhanced security against photo/video spoofing attacks, KeyLemon's latest face recognition algorithms take full benefit of 3D depth sense cameras by efficiently combining depth, near-infrared and color information. 
(Description from the official website https://www.keylemon.com)


Vulnerability
-------------
Face Authentication Bypassing / Anti-Spoofing Bypassing
It is possible to bypass the face recognition software, just using a selfie in the Free version or a gif animation in the Gold License version, even with the recognition accuracy set as high. 


PoC
---
In the first case, for the FREE desktop application, I created a profile in two different scenarios: 
- bad conditions (wearing glasses and low light)
- good conditions (no glasses and great lighting)
All I used was an iPhone and the front camera to shoot a selfie, and in both scenarios I was able to enter in my session without problem. Video recorded showing how the FREE version can be bypassed with a selfie: https://www.youtube.com/watch?v=wPuVUj5mRgI
In the second case, the GOLD version, I set up the Security Level to high, and selected the anti-spoofing check. 

There were two different ways to get the blinking "effect":
- using a video (with the iPhone front camera I recorded an 8 seconds video) - using a gif (with the iPhone front camera, I shooted two photos: one selfie with eyes open, another selfie with closed eyes and used Best Animation Maker, as GIF maker)
Video recorded showing how the GOLD version can be bypassed with a gif or video: https://www.youtube.com/watch?v=pCaEJoch6Zc 

More information and steps:
https://www.omarbv.com/?p=4676&lang=en


Affected versions
-----------------
KeyLemon 2.7.5 for Mac OS X
KeyLemon 3.2.3 for Windows Vista/7/8
(Older versions are also vulnerable.)


Timeline
--------
2016-05-24: Initial disclosure to vendor
2016-05-24: Vendor responded with “KeyLemon introduced since version 2.5 antispoofing check feature. This feature requires GOLD package.” 2016-06-06: Vendor was contacted again, regarding the vulnerability in the GOLD version. 2016-06-07: Vendor responded with “In the current case, you are fully cooperating with the system to spoof it. This is similar as if you give your password. In KeyLemon desktop application we decided of a threshold between security and convenience.“ 
2016-06-13: Public disclosure


Discovered by
-------------
Omar Benbouazza
www.omarbv.com
@omarbv

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Previous By Date Next
Previous By Thread Next

Current thread: