Is there a loophole in "brush face login"? Expert: It is more dangerous to steal biometric data.

2025年4月20日 | admin | A1

   At the CCTV 3.15 party, the host provided a photo of his own identity on the spot. After about a minute, the photo changed from static to dynamic, and he could blink and smile. After that, the host opened a face recognition APP in the mobile phone, followed the steps of face-brushing login, and directly logged in successfully.

  The host invited an audience at random and found a public selfie in the audience’s personal Weibo. After on-site technical processing, this photo was quickly generated into a 3D face model exactly like the audience. Subsequently, the host aimed at the mobile phone lens in his hand, put the audience’s 3D face model on his face and directly "changed his face", and completed the actions of blinking, turning his head, smiling and so on in turn according to the tips of in-vivo detection in the APP, and even deceived the APP and successfully completed the in-vivo detection certification.

  Xinhua News Agency, Shanghai, March 19th (Reporter He Xinrong) With a selfie taken by an audience, the face authentication system of mobile phones was successfully cracked. Recently, the security loopholes in "brush face login" have attracted much attention in the 315 rights protection activities. However, relevant information security experts believe that compared with the security loopholes in the process of data transmission and authentication, once the biometric data in the background is stolen, it will bring greater risks to users.

  With the continuous progress of technology, biometric authentication methods such as fingerprint recognition, iris recognition and face recognition are constantly innovating, and the traditional "user name+password" has evolved into a more advanced and three-dimensional protection system such as "user name+password+biometric+biological detection". Facing the increasingly high-tech certification technology, both people and enterprises feel that the safety factor has also improved.

  But this is not the case. For example, although face recognition technology looks quite advanced, once criminals break the technical barrier, they may infringe on the interests of consumers by "brushing their faces" under the condition of obtaining other information of consumers.

  After the security vulnerability of face recognition was exposed, many Internet companies issued statements at the first time, indicating that this risk had been foreseen. Yan Shuicheng, the chief scientist of 360, said that at this stage, face authentication technology can not be very mature in all occasions. In scenes involving important information such as personal privacy and property, it is recommended to enable multiple authentication methods.

  Tan Jianfeng, president of Shanghai Information Security Industry Association, also said that in principle, all authentication is nothing more than information comparison between server and authentication. In the Internet environment, once biometric authentication is adopted, feature data will be generated. All biometric data, as long as they enter the computer, will be converted into machine codes of 0 and 1 and stored in the database.

  "The biggest commonality of biometric authentication is uniqueness. Everyone has a unique face, fingerprint and iris. It is this uniqueness that makes people think that biometric authentication is safe. However, once the biometric database is breached, a large number of unique biometric data will be stolen, which will bring more risks than ‘ Stealing brush ’ Much more serious. This is the real way of biometric authentication ‘ Pain point ’ 。” Tan Jianfeng said.

  In Tan Jianfeng’s view, biometric authentication technology at this stage is actually more suitable for localized applications without networking, such as access control, safes and bank vaults. Without the support of mature information security technology, Internet companies should not be eager to attract the public with such technologies with security risks as "gimmicks".

  At the CCTV 3.15 party this year, an interactive demonstration to test the security of face recognition was extremely scary. With the help of technical experts, the host can not only make a selfie of the audience blink, but also make it a face model that can be controlled by anyone, thus breaking the face authentication.

  What exactly is this "face change"? Qiu Xuekan, a visual analysis expert of 360 Artificial Intelligence Research Institute, explained that face recognition needs to pass two authentication points, one is face comparison, that is, to judge whether the face to be verified is the person or not, and the other is live detection, that is, to judge whether the face to be verified is real and effective. And this demonstration, in the case of clear frontal photos, mainly focuses on the second point. He said that in order to crack the face-brushing login, according to the photo of the certificate provided by the host, the on-site technicians can complete the blinking and smiling actions needed for the face-brushing login by changing the selfie from static to dynamic with the help of the key point positioning of the face and the automatic face dynamic effect technology. The cracking of live detection is to transform the randomly selected audience photos into a solid face model through 3D modeling.