SecureMac, Inc.

A Security Exploit Using Live Photos Showcases the Need for Biometric Scrutiny

September 1, 2016

Personal biometric data, such as our faces and fingerprints, is increasingly used as a set of digital keys for unlocking access to many of our important devices and services. For example, many banks now take advantage of the iPhone’s built-in fingerprint scanner to allow quick and easy access to their mobile banking applications. This application affords a great deal of convenience for the user, generating a positive experience.

Beneath the “cool” factor, though, these new technologies must be strictly evaluated in terms of their real world effectiveness. Are we …

A Security Exploit Using Live Photos Showcases the Need for Biometric Scrutiny

Personal biometric data, such as our faces and fingerprints, is increasingly used as a set of digital keys for unlocking access to many of our important devices and services. For example, many banks now take advantage of the iPhone’s built-in fingerprint scanner to allow quick and easy access to their mobile banking applications. This application affords a great deal of convenience for the user, generating a positive experience.

Beneath the “cool” factor, though, these new technologies must be strictly evaluated in terms of their real world effectiveness. Are we sacrificing actual security in favor of implementing user-friendly ID methods that yield the impression of a secure system? Biometric measures may present faster, simpler ways of identifying ourselves, but even fingerprints are vulnerable to compromise. As facial recognition software proliferates, banks and other institutions holding sensitive data are now looking towards it as the next opportunity to add additional layers of security. However, a security researcher recently uncovered that some of these systems can be easily defeated with a basic feature of the iPhone, Live Photos.

The exploit itself is relatively straightforward, although narrow in its potential applications. The researcher targeted apps which requested the user to look into the camera and hold a particular expression. Live Photos capture about 30 seconds around a single photograph and condense it into a GIF-like moving image. By creating a Live Photo mimicking the biometric login procedure, the researcher was able to play the image on another device and fool the bank app into authorizing a login.

The researcher did not investigate whether or not a short video clip could defeat facial recognition in the same way. Even so, it doesn’t take much to imagine a successful attack involving such a technique. As long as the video clip was well-lit, stable, and of sufficient length, one might expect the recognition software to be similarly fooled.

Clearly, this is a very specific flaw which would be difficult to exploit effectively. Nonetheless, it showcases the need for caution concerning biometric security. Though Live Photos themselves are not a security flaw per se, their use here demonstrates that we must give great consideration to how and where facial recognition software is implemented. With hackers already stealing fingerprint data in data breaches, how we safeguard our biometric data deserves attention as well. The potential impact of features like Live Photos on security cannot be ignored, either.

Though biometrics represent the next step in the evolution of digital security, they must be more than buzzworthy new features. Instead, thorough vetting and careful research are necessary to uncover and prevent truly critical exploits in the future. As our digital world grows in size and scope, the importance of these emerging technologies is clear. So, too, is the need for vigilance against threats to the digital security of our facial features and fingerprints.

Get the latest security news and deals