1. Unlocking any door in the 21st century
Immersion in biometric security
1
Timur Yunusov & Alexandra Murzina

2. Who we are
● ex A-Team Cyber R&D Lab
● Head of research
● Senior ML security expert
2

3. Outline
● Current state of AI/ML in biometrics
● ML attacks landscape
● Attacking devices
○ Device 1 - undisclosed
○ Device 2 - ZKTeco
○ Device 3 - Eufy
● Conclusions
● Security Checklist
3

4. United States:
State-specific biometric laws, e.g., BIPA in Illinois and CCPA in California.
FBI uses biometrics for law enforcement and border control.
China:
Extensive government use of biometrics for surveillance and security.
Requirement to store critical data, including biometrics, within the
country.
India:
Aadhaar Act regulates biometric data collected under Aadhaar
program.
Proposed Data Privacy Bill aims for comprehensive data protection.
European Union (EU):
GDPR regulates biometric data with explicit consent and stringent
protection.
United Arab Emirates (UAE):
DIFC's data protection law covers biometric data.
Government uses biometrics extensively for security and services.
Japan:
APPI regulates personal data, including biometrics, with consent and
protection.
Legislation
United Kingdom:
Data Protection Act regulates personal data processing, including
biometrics.
Independent oversight of law enforcement biometric use by Biometrics
Commissioner.
South Korea:
PIPA considers biometric data "sensitive," requiring consent and
protection.
Regulations allow biometric authentication in financial transactions.
Brazil:
LGPD regulates personal data processing, including biometrics, with
consent and protection.
Requires security measures and impact assessments.
South Africa:
POPIA regulates personal data processing, including biometrics, with
consent and protection.
Russia:
Personal Data Law mandates consent for biometric processing.
Federal Law regulates fingerprinting.
Unified Biometric System enables bank identification.
Government uses biometrics for security and law enforcement.
4

5. Practical aspects
5

6. Current state of
AI/ML in biometrics
6

7. Physical Biometric
Modalities
Fingerprint Recognition
Face Recognition
Iris Recognition
Retina Recognition
Hand Geometry
Vein Recognition
Ear Recognition
DNA Biometrics
Behavioral Biometric
Modalities
Voice Recognition
Signature Recognition
Keystroke Dynamics
Gait Recognition
Mouse Dynamics
7

8. Physical Biometric
Modalities
Fingerprint Recognition
Face Recognition
Iris Recognition
Retina Recognition
Hand Geometry
Vein Recognition
Ear Recognition
DNA Biometrics
Behavioral Biometric
Modalities
Voice Recognition
Signature Recognition
Keystroke Dynamics
Gait Recognition
Mouse Dynamics
Early Methods, Eigenfaces
initially, manual analysis of facial features in photos measured distances and angles between
landmarks like eyes and nose. Automated face recognition began in the late 1980s with Eigenfaces,
using PCA to extract features from grayscale images, representing faces as weighted "eigenfaces."
Local Feature Methods
techniques like LBP and Gabor wavelets focused on specific face regions, capturing texture and
local changes.
2D and 3D Face Models
2D and 3D face models accounted for pose and expression variations, with 3D models providing
depth information.
8

9. Physical Biometric
Modalities
Fingerprint Recognition
Face Recognition
Iris Recognition
Retina Recognition
Hand Geometry
Vein Recognition
Ear Recognition
DNA Biometrics
Behavioral Biometric
Modalities
Voice Recognition
Signature Recognition
Keystroke Dynamics
Gait Recognition
Mouse Dynamics
Early Methods, Eigenfaces
initially, manual analysis of facial features in photos measured distances and angles between
landmarks like eyes and nose. Automated face recognition began in the late 1980s with Eigenfaces,
using PCA to extract features from grayscale images, representing faces as weighted "eigenfaces."
Local Feature Methods
techniques like LBP and Gabor wavelets focused on specific face regions, capturing texture and
local changes.
2D and 3D Face Models
2D and 3D face models accounted for pose and expression variations, with 3D models providing
depth information.
Machine Learning and Deep Learning
machine learning and deep learning techniques, like SVMs and CNNs, automatically learned and
extracted facial features from large datasets, enhancing recognition accuracy and robustness.
9

10. Physical Biometric
Modalities
Fingerprint Recognition
Face Recognition
Iris Recognition
Retina Recognition
Hand Geometry
Vein Recognition
Ear Recognition
DNA Biometrics
Behavioral Biometric
Modalities
Voice Recognition
Signature Recognition
Keystroke Dynamics
Gait Recognition
Mouse Dynamics
Early Methods, Eigenfaces
initially, manual analysis of facial features in photos measured distances and angles between
landmarks like eyes and nose. Automated face recognition began in the late 1980s with Eigenfaces,
using PCA to extract features from grayscale images, representing faces as weighted "eigenfaces."
Local Feature Methods
techniques like LBP and Gabor wavelets focused on specific face regions, capturing texture and
local changes.
2D and 3D Face Models
2D and 3D face models accounted for pose and expression variations, with 3D models providing
depth information.
Machine Learning and Deep Learning
machine learning and deep learning techniques, like SVMs and CNNs, automatically learned and
extracted facial features from large datasets, enhancing recognition accuracy and robustness.
Depth Sensing and Infrared Cameras
Modern systems use depth sensing and infrared cameras to capture facial information in
challenging lighting or obscured faces, enabling accurate recognition and spoof detection.
Multi-modal and Fusion Methods
Combining multiple biometric modalities, such as face and voice or fusing 2D and 3D data, has
enhanced recognition performance.
Emotion Recognition and Liveness Detection
Recent advancements include emotion recognition from facial expressions and liveness detection
to verify the subject's presence.
10

11. Physical Biometric
Modalities
Fingerprint Recognition
Face Recognition
Iris Recognition
Retina Recognition
Hand Geometry
Vein Recognition
Ear Recognition
DNA Biometrics
Behavioral Biometric
Modalities
Voice Recognition
Signature Recognition
Keystroke Dynamics
Gait Recognition
Mouse Dynamics
Face Detection
algorithms like Haar cascades or SSD locate and isolate faces in
images or video streams.
Face Alignment
detected faces are transformed into a standard format by
rotating, scaling, and translating them for uniformity.
Feature Extraction
machine learning models, such as CNNs, extract unique facial
features and create a face embedding or feature vector.
Face Matching
extracted features are compared with stored feature vectors
using distance metrics like Euclidean or cosine distance.
Systems identify the closest match or verify if the face matches
a specific representation.
Decision Making
the system determines whether to accept or reject
identification or verification based on matching results,
sometimes providing a confidence score or probability.
11

12. Physical Biometric
Modalities
Fingerprint Recognition
Face Recognition
Iris Recognition
Retina Recognition
Hand Geometry
Vein Recognition
Ear Recognition
DNA Biometrics
Behavioral Biometric
Modalities
Voice Recognition
Signature Recognition
Keystroke Dynamics
Gait Recognition
Mouse Dynamics
Face Detection
algorithms like Haar cascades or SSD locate and isolate faces in
images or video streams.
Face Alignment
detected faces are transformed into a standard format by
rotating, scaling, and translating them for uniformity.
Feature Extraction
machine learning models, such as CNNs, extract unique facial
features and create a face embedding or feature vector.
Face Matching
extracted features are compared with stored feature vectors
using distance metrics like Euclidean or cosine distance.
Systems identify the closest match or verify if the face matches
a specific representation.
Decision Making
the system determines whether to accept or reject
identification or verification based on matching results,
sometimes providing a confidence score or probability.
12

13. Physical Biometric
Modalities
Fingerprint Recognition
Face Recognition
Iris Recognition
Retina Recognition
Hand Geometry
Vein Recognition
Ear Recognition
DNA Biometrics
Behavioral Biometric
Modalities
Voice Recognition
Signature Recognition
Keystroke Dynamics
Gait Recognition
Mouse Dynamics
Face Detection
algorithms like Haar cascades or SSD locate and isolate faces in
images or video streams.
Face Alignment
detected faces are transformed into a standard format by
rotating, scaling, and translating them for uniformity.
Feature Extraction
machine learning models, such as CNNs, extract unique facial
features and create a face embedding or feature vector.
Face Matching
extracted features are compared with stored feature vectors
using distance metrics like Euclidean or cosine distance.
Systems identify the closest match or verify if the face matches
a specific representation.
Decision Making
the system determines whether to accept or reject
identification or verification based on matching results,
sometimes providing a confidence score or probability.
13

14. Physical Biometric
Modalities
Fingerprint Recognition
Face Recognition
Iris Recognition
Retina Recognition
Hand Geometry
Vein Recognition
Ear Recognition
DNA Biometrics
Behavioral Biometric
Modalities
Voice Recognition
Signature Recognition
Keystroke Dynamics
Gait Recognition
Mouse Dynamics
Face Detection
algorithms like Haar cascades or SSD locate and isolate faces in
images or video streams.
Face Alignment
detected faces are transformed into a standard format by
rotating, scaling, and translating them for uniformity.
Feature Extraction
machine learning models, such as CNNs, extract unique facial
features and create a face embedding or feature vector.
Face Matching
extracted features are compared with stored feature vectors
using distance metrics like Euclidean or cosine distance.
Systems identify the closest match or verify if the face matches
a specific representation.
Decision Making
the system determines whether to accept or reject
identification or verification based on matching results,
sometimes providing a confidence score or probability.
14

15. Physical Biometric
Modalities
Fingerprint Recognition
Face Recognition
Iris Recognition
Retina Recognition
Hand Geometry
Vein Recognition
Ear Recognition
DNA Biometrics
Behavioral Biometric
Modalities
Voice Recognition
Signature Recognition
Keystroke Dynamics
Gait Recognition
Mouse Dynamics
Face Detection
algorithms like Haar cascades or SSD locate and isolate faces in
images or video streams.
Face Alignment
detected faces are transformed into a standard format by
rotating, scaling, and translating them for uniformity.
Feature Extraction
machine learning models, such as CNNs, extract unique facial
features and create a face embedding or feature vector.
Face Matching
extracted features are compared with stored feature vectors
using distance metrics like Euclidean or cosine distance.
Systems identify the closest match or verify if the face matches
a specific representation.
Decision Making
the system determines whether to accept or reject
identification or verification based on matching results,
sometimes providing a confidence score or probability.
15

16. ML attacks landscape
16

17. ML attacks landscape v1
AI App Security Risk
Model
Security
• Adversarial ML
• Model
Backdoor
• Model Theft
Implementation
Security
• Sensor Security
• Flaws in Framework
• Logical Flaws
Data Integrity
Security
• Data Poisoning
• Scaling Attack
• Risk over Network
https://tinyurl.com/4fh7j3ky
17

18. https://tinyurl.com/339uetbz
18
AI Attacks
Promt
injection
Training
attacks
AI Agents Tools Storage Models
# alter agent routing
# send commands to
undefined systems
# execute arbitrary
commands on backend
business systems
# pass through injection on
connected tool systems
# code execution on agent
system
# attack embedding
databases
# extract sensitive data
# modify embedding data
resulting in tampered model
results
# bypass model protections
# force model to exhibit bias
# extraction of other users' and/or
backend data
# force model to exhibit intolerant
behavior
# poison other users' results
# disrupt model trust/reliability
#access unpublished models
# introduce bias into
the model
# disrupt model
trust/reliability
ML attacks landscape v2

19. Biometric attacks landscape
19
Data
acquisition
Feature
Extraction
Face Matching Decision
Data Storage
Attack on the
sensor by biometric
presentation type
Sample
replacement
Attack
on the signal
processor
Pattern
replacement
Attack on the
comparison
algorithm
Value
replacement
Decision
replacement
Replacement of
sample (pattern)
Replacement of link
to sample
Biometrics
attack
Infrastructure attacks

20. Attacking devices
20

21. Devices overview
facial recognition
access control device
time control
device
smart doorbell
21

22. Device #1
1) The customer bought an expensive B2B device
which we audited in their work environment
2) Typically, multiple devices are ordered for the
project:
one — for physical hacking, the second — for
logical and testing, the third is a backup
3) The result of the physical audit. Categories of
cameras in systems and in our system. The reason
for using depth cameras
22

23. Overview depth camera 2 x visible
light camera
23

24. Assumption #1
How does it work?
1) Detecting a face in
the frame.
2) Checking Liveness
with the depth
camera.
3) Capture the face from
the visible range
camera.
4) Pre-processing.
5) DNN
6) Comparison with the
database using
threshold 2500
depth camera 2 x visible
light camera
24

25. Assumption #1
How does it work?
1) Detecting a face in
the frame.
2) Checking Liveness
with the depth
camera.
3) Capture the face
from the visible
range camera.
4) Pre-processing.
5) DNN
6) Comparison with the
database using
threshold 2500
25

26. What if there are multiple faces in the
frame?
The larger head is the one being analyzed.
Assumption #2 | Multiple faces
26

27. Assumption #3 | universal face?
You need to pass 2500 threshold to get access.
Hypothesis — It is possible to authenticate
without having a photo of the reference user.
Create a generated face and present it to the
system via a spoofed channel.
27

28. 28
Assumption #3 | universal face?
Variational
Autoencoder
CelebA Dataset
Face Super-
Resolution
model
score > 2500 ?
digital physical
NO YES

29. Results #1
● The study unveils inadequate utilization of depth
camera data by the vendor.
● This deficiency may stem from hardware limitations,
potentially rendering the system more vulnerable to
attacks. Deep learning models do not interact with
depth maps in any way.
● Incorporating depth data in the training process
could enhance system reliability.
● However, it may also introduce complexities in the
preparation of training datasets.
29

30. Device #2 (ZKTeco)
1) Time tracking terminal
2) No CUDA
3) ML algorithms from 2010
30

31. Overview
It uses only infrared camera
31

32. How it works
32
Biometrical algorithms:
1) Gabor Filters https://t.co/CBFKums9TO
2) Local Binary Pattern https://t.co/OxYFkTZTP0
Gabor filter
Local binary pattern
As seen by the infrared
light camera

33. LED lamp inspiration
33
LED lamps emit a lot of their
energy in the form of
infrared light

34. LED lamp inspiration
34
printing a photo on transparent film
LED lamps emit a lot of their
energy in the form of
infrared light

35. LED lamp inspiration
35
LED lamps emit a lot of their
energy in the form of
infrared light
printing a photo on transparent film
shining an
incandescent light
through it

36. Results #2
● We discovered logical vulnerabilities in the terminal,
enabling a more detailed examination of its
functioning.
● One notable attempt involved creating a unique
single-frame screen displayed on transparent film
and illuminated with infrared light
● Unfortunately, the terminal exhibited high sensitivity
to specific changes. For instance, it identified the
same user differently when wearing or not wearing
glasses, treating them as distinct individuals.
● Nevertheless, the combination of technologies,
including Gabor filters, local binary patterns, and an
infrared camera, provides a solid defense against
potential attacks
36

37. Device #3 (Eufy)
Smart doorbells become the part of everyone’s life
Vendors add “AI” to the device
Now the product is more complex
Is it more secure now?
37

38. Overview ● The Smart Doorbell is a high-tech home security device.
It offers HD video, two-way audio, motion detection, and
local storage (c)
● It's privacy-focused with robust encryption and
integrates with other devices (c)
38

39. Issue #1: Man-in-the-middle attack
Device checks for firmware
updates every time it boots
There’s no SSL pinning
Firmware is “signed” with MD5
39

40. Issue #2: Military grade encryption
● All videos are stored on a 4GB “smart
hub”
● There’s AES-128 encryption
● Key is generate using srand() PRNG
● Seed is time()
● 30s to find the key and decrypt the
videos
40

41. Issue #3: Authorisation bypass
Every snapshot is
uploaded to AWS
Server generates AWS
signature for
uploading/downloading
41

42. Issue #3: Authorisation bypass
Every snapshot is uploaded to AWS
Server generates AWS signature for
uploading/downloading
Path traversal in link signature generation
Any snapshot of any eufy user is available
42

43. Issue #4: Unlocked USB-OTG
Direct physical access to shell
Access to firmware binaries
model.bin.tar
43

44. Overview
● The Smart Doorbell is a high-tech home security device.
It offers HD video, two-way audio, motion detection, and
local storage (c)
● It's privacy-focused with robust encryption and
integrates with other devices (c)
● You can choose between battery or wired installation,
and it's weather-resistant. Control it via a user-friendly
app for remote monitoring and alerts (c)
44

45. Overview
● The Smart Doorbell is a high-tech home security device.
It offers HD video, two-way audio, motion detection, and
local storage (c)
● It's privacy-focused with robust encryption and
integrates with other devices (c)
● You can choose between battery or wired installation,
and it's weather-resistant. Control it via a user-friendly
app for remote monitoring and alerts (c)
45

46. Is it still vulnerable?
46

47. https://github.com/kripthor/talks_and_slides/blob
/main/IoT-Landscape.pdf
47

48. More evidence that Eufy can’t be
hacked
48

49. Lessons learned
Newer, better, more secure - False
More advanced ML - more resilient algorithms - False
Cheaper devices - less security - False
49

50. Checklist
50
Hardware/Software
- Enumerate interfaces
- ethernet
- USB, serial and debugging ports
- mics and cameras
- Investigate available cameras
- infra-red, depth camera, etc
- Firmware
- Download the FW from public or using MiTM
- Open a device and extract the FW from a chip
- Get information about the vendor
- Can the models and algorithms be extracted
- Where and how images/videos are stored and processed (cloud or on-prem)
- Assess the infrastructure and public libs
Data privacy & Model robustness (Grey Box)
- Errors in the recognition pipeline
- Adversarial attacks
- deepfakes
- universal faces
- similar faces
- Liveness checks
Data integrity & Model confidentiality tests (Black Box)
- Interfering with sensors
- With light
- By the channel interference
- Spoofing
- Determine crucial elements on a face by overlapping parts
- Can we use a digital face instead, e.g., a large LCD
- DDoS by presenting a large number of faces
- Applying patches and masks
- Data stealing
- Targeted and untargeted attacks

51. Kudos
51
Alexander Migutsky
Denis Goryushev
Egor Zaitsev
Dmitry Sklyarov
Pedro Umbelino
Cyber R&D Lab (RIP)