Facial recognition is a technology that can identify and verify people by analyzing their facial features. It is widely used in various applications, such as unlocking smartphones, accessing online services, or verifying identity documents. However, facial recognition is not foolproof and can be vulnerable to spoofing attacks, where an attacker tries to trick the system by presenting a fake face. One of the most common and easy ways to spoof facial recognition is by using a photo of the target person.
Photo spoofing is a type of presentation attack that involves showing a printed or digital photo of the target person to the camera of the facial recognition system. The photo can be obtained from social media, online databases, or other sources. The attacker can either hold the photo in front of their face or use a device such as a tablet or a laptop to display the photo.
The goal of photo spoofing is to bypass the facial recognition system and gain unauthorized access to the target person’s device or account. For example, an attacker can use a photo of the owner to unlock their smartphone, make mobile payments, or log into their online services.
Android facial recognition is a feature that allows users to unlock their smartphones or tablets using their face. It is based on Google’s Face Unlock API, which provides developers with access to facial recognition services. However, Android facial recognition is not very secure and can be easily fooled by a photo of the user.
According to a study by Which?, 40% of smartphones tested at Which? labs since August 2022 have face recognition that can be spoofed with a 2D printed photo, allowing criminals to easily gain access to the phone1. The study revealed that phones from major brands such as Samsung, Motorola, Nokia, Oppo, Vivo, and Xiaomi were affected by this vulnerability.
The reason why Android facial recognition can be fooled by a photo is that it does not use advanced techniques to detect liveness or spoofing. Liveness detection is the process of verifying that the face presented to the camera is alive and not a fake. Spoof detection is the process of detecting and rejecting presentation attacks such as photos, videos, or masks.
Some techniques that can be used for liveness or spoof detection are:
Depth analysis: This technique involves measuring the depth or distance of different parts of the face and comparing them with expected values.
Texture analysis: This technique involves analyzing the texture or quality of the face image and detecting anomalies such as blurriness, noise, or moiré patterns.
Motion analysis: This technique involves tracking the movement or expression of the face and checking for naturalness and consistency.
Challenge-response: This technique involves asking the user to perform some actions such as blinking, smiling, or nodding and verifying their response.
Android facial recognition is a convenient but insecure feature that can be fooled by a photo of the user. Photo spoofing is a simple and effective way to bypass facial recognition systems and gain unauthorized access to devices or accounts. To prevent photo spoofing attacks, Android users should use alternative security methods such as PIN or fingerprint recognition, or look for facial recognition systems that use liveness or spoof detection techniques.