Android Jelly Bean’s Facial Liveness Check Can Be Bypassed Using Simple Image Manipulation [VIDEO]
Whenever large companies like Google, Apple or Microsoft take the opportunity to make major revisions to their mobile operating systems, they always implement a number of headline grabbing features that show the update is worthy of a new name or version number. In most circumstances, the announced improvements are generally on the feature side, and although they add a whole host of behind-the-scenes additions, this isn’t really what the end-user wants to read about. Regardless of new features, mobile device security is something that is extremely important to all users regardless of whether it is their first priority or not.
As part of their continuous updates to the Android OS, Google has consistently implemented a number of security features that theoretically make devices powered by the OS a lot safer. The Ice Cream Sandwich version of Android brought with it facial recognition detection which allows users to unlock the device when the camera detected the correct face using the front-facing camera. In the latest Jelly Bean update, they have taken things one step further by adding a liveness check to that detection algorithm, something that basically means before the device is unlocked, the detected face needs to show signs of being alive, something which could be easily bypassed in Ice Cream Sandwich using a simple photo.
Rather than having the user pull off some crazy faces and tongue wiggling, the system detects the user’s eyes and merely waits until a blink appears before running the face against the stored image and then finally unlocks the device. Pretty clever stuff, and should make the device a lot more secure, right? Well, in theory yes, but in reality a couple of YouTube members have proven that this method isn’t as infallible as Google would have hoped. It seems that the liveness check can be bypassed using a simple image of the user and some Photoshop trickery.
To combat the liveness check in the facial detection algorithm, you will actually need a photograph of the person’s face which the device is trained to recognize. In today’s socially connected world, a photograph of a person isn’t particularly hard to come by as long as you know who you are looking for. The bypass method works by matching the skin tone of the person’s face and then covering over their eyes on a copy of the image. Focusing the front facing device camera on the screen and then flicking back and forth between the original and the altered image is enough to trick the device into thinking it is actually focused on a real blinking person.
It may seem like a lot of work to go through, but if you are the type of person who is attempting to force access a device that doesn’t belong to you then it is relatively simple. This method of granting access is just another example of why facial detection recognition on devices isn’t ready to be taken seriously as a security measure.