Security Analysis of Facial Recognition SDKs for Mobile App (29 Apr 2024)
Date: 29-Apr (Mon)
Time: 7:15pm – 8:30pm
Venue: HKU SPACE, ADC 314, 3/F, Admiralty Centre (海富中心), Admiralty
Language: Cantonese
Fee: FREE
Register: https://bit.ly/pisa240429 (PISA and supporting members only)
Highlight
Speaker:
Professor Wing C. Lau, Department of Information Engineering and the Director of the Mobile Technologies Centre (MobiTeC), The Chinese University of Hong Kong.
Abstract:
Mobile apps are embracing facial recognition technology to streamline the identity verification procedure for security-critical activities such as opening online bank accounts. To ensure the security of the system, liveness detection plays a vital role as an anti-spoofing component, verifying that a selfie provided is from a live individual. Emerging facial recognition companies offer convenient integration services through mobile Software Development Kits (SDKs) / libraries that are widely utilized by numerous apps in practice. By analyzing 18 mobile facial recognition SDKs in the market, we reveal the protocol design and implementation intricacies of various systems.
Our investigation leads to the discovery of several system security issues in over half of the libraries, predominantly linked to the liveness detection module. These vulnerabilities can be exploited for low-cost identity forgery attacks without relying on media synthesizing technologies like Deepfake. We scan over 18,000 apps from an app market and identify 800+ of them incorporating recognized facial recognition libraries, with over 100 million total downloads. More than half of the libraries under study exhibit weak security, with about 40% downstream mobile apps being affected. Our study emphasizes the importance of system security in mobile facial recognition services, as the practical impact can be on par with or even surpass the extensively studied Machine Learning-based attacks.
With this talk, we hope to draw the security community’s attention back on to the system security in the era of AI.
Biography:
Wing C. Lau is a Professor in the Department of Information Engineering and the Director of the Mobile Technologies Centre (MobiTeC) at The Chinese University of Hong Kong. Wing received his B.S.(Eng) degree from the University of Hong Kong and M.S. and Ph.D. degrees in Electrical and Computer Engineering from the University of Texas at Austin. Before returning to academia, Wing worked in the US industry for a decade. He was a Member of the Technical Staff with the Performance Analysis Department, Bell Laboratories, Holmdel, New Jersey, where he conducted research in high-speed networking protocols and systems. Wing also had a stint with Qualcomm, San Diego, California where he designed the architecture and protocols for Next Generation Wireless services and actively contributed to their standardization in the Internet Engineering Task Force (IETF) and 3GPPs. Wing holds 19 U.S. patents and his research findings have culminated in more than 130 publications in major international conferences and journals. His recent research interests include: Security and Privacy of Online Social Networks, Single-Sign-On protocols and Mobile Payment Systems; Graph Neural Networks and their applications; Online Machine Learning algorithms; Resource allocation and Optimization for Cloud Computing/ Big Data Processing Systems; High-capacity Authenticated 2D barcodes. Dr. Lau is/ has been a Technical Program Committee member of ACM Sigmetrics, MobiHoc, IEEE INFOCOM, SECON, WiOpt, ICC, GLOBECOM, WCNC, VTC and the International Teletraffic Congress, etc. He also served as a Guest Editor for the Special Issue on High-speed Network Security of IEEE Journal of Selected Areas in Communications (JSAC). For their work on Single-Sign-On SDK security, Wing and his team received the Internet Defense Prize from USENIX and Facebook in 2018.
For any question, please send an email to info@pisa.org.hk or send a message via m.me/pisahkg to seek our support, thanks.