CUHK research team reveals vulnerabilities in enterprise networking services and mobile facial recognition systems

2023-10-26

Media Release

11 out of 18 mobile facial recognition software development kits have security flaws.
63 out of 132 VPN front-end apps have serious vulnerabilities.
Out of more than 2,000 colleges and universities worldwide, 86% instruct users to adopt unsafe Wi-Fi settings on at least one device platform.

The use of facial recognition technology has become prolific, and with the rise of Wi-Fi and virtual private networks (VPNs), their security has become a hot-button topic. Two research teams from The Chinese University of Hong Kong (CUHK)’s Department of Information Engineering have recently revealed security vulnerabilities in mobile facial recognition software and enterprises’ Wi-Fi and VPN setups that have a real-world impact.

Bypassing facial identification in mobile apps is easier than previously thought

Users’ identity documents and selfies are easily stolen and sold on the black market, allowing them to be used for identity fraud. To prevent this from happening, most facial recognition systems require users to perform actions such as blinking or shaking their heads, known as liveness detection. While many researchers have studied deepfake or 3D mask attacks that target machine learning models, few have addressed the protocol design or implementation issues in facial recognition systems that can enable low-cost, easy-to-scale attacks.

A research team led by Professor Lau Wing-cheong from the Department of Information Engineering analysed 18 mobile facial recognition software development kits (SDKs), including those from industry leaders, and revealed security flaws in 11 of them that can result in liveness detection bypasses. After building an automatic app analyser to scan more than 18,000 apps, CUHK researchers found that around 300 contained at least one of the vulnerable facial recognition libraries. By exploiting design flaws in the SDKs, an attacker can circumvent facial identification using only static photos of the victim.

The research team has provided security tips for the design of app facial recognition systems and contacted the software companies about the vulnerabilities. The team recently presented its findings at the Black Hat USA 2023 conference, under the title “The Living Dead: Hacking Mobile Face Recognition SDKs with Non-Deepfake Attacks”.

Safety tips for the design of facial recognition systems:

Perform cloud-based liveness detection when possible. Never trust client-side results.
Defense in depth: adopt multiple layers of security control; enforce robust client protection, including app hardening and anti-debugging.
Properly encrypt configurations and data that are exchanged between library, app and server during the facial recognition process.

Insecure enterprise Wi-Fi & VPNs allow attackers to compromise passwords and devices

Many employers provide their employees with enterprise Wi-Fi and VPN services, making it easier for them to use mobile devices such as laptop computers and smartphones to work on the go. To better understand their security issues, a research team led by Professor Chau Sze-yiu from the Department of Information Engineering conducted in-depth testing and analysis of enterprise Wi-Fi and VPNs.

With enterprise Wi-Fi, the research team discovered several design and implementation flaws in mainstream operating systems, which force users to adopt insecure wireless network settings, making them susceptible to attacks. The team also analysed more than 7,000 Wi-Fi setup guides from more than 2,000 colleges and universities around the world and found that about 86% instruct users to adopt unsafe Wi-Fi settings on at least one mainstream operating system. Due to these unfortunate oversights from software vendors and IT admins, attackers can steal users’ passwords using low-cost Wi-Fi impersonators.

With VPNs, the research team tested 132 front-end applications used around the globe and found serious yet previously unknown vulnerabilities in 63. These vulnerabilities allow hackers to steal user passwords easily and stealthily. In addition, the front-end applications of some VPN products allow a network attacker to execute arbitrary malicious code with high privileges on the user’s device, compromising the entire system. The research team also analysed about 2,000 VPN user manuals from universities worldwide and found configuration issues in more than 300 of them, which could make users fall into traps and have their passwords stolen by hackers.

Given the severity of these findings, the research team has made various safety recommendations to people affected and informed a number of local and foreign institutions about the defects. This research has led to the publication of three papers at well-known international academic conferences. The team was given the Best Paper Award at the 16th ACM Conference on Security and Privacy in Wireless and Mobile Networks (ACM WiSec 2023).

Safety tips for enterprise Wi-Fi and VPNs.

For vendors: good products are not just about functionality and usability; they need to be designed carefully to nudge users into choosing secure settings, and also tested thoroughly to prevent implementation defects that can reduce security.
For IT admins: when it comes to educating users, it is important to teach them not only how to make things work, but also how to make things safe. Think about scenarios where the unexpected can happen and teach users how to deal with them properly.
For users: although it can be very tempting, blindly clicking buttons like “OK”, “Connect” and “Accept” is generally bad practice. Try to understand the potential implications before giving in to the convenience. When in doubt, talk to IT admin and ask questions.

Appendix

Please click the links below for the conference briefing and papers.

The Living Dead: Hacking Mobile Face Recognition SDKs with Non- Deepfake Attacks

Back to School: On the (In)Security of Academic VPNs

The Devil is in the Details: Hidden Problems of Client-Side Enterprise Wi-Fi Configurators

All your Credentials are Belong to Us: On Insecure WPA2-Enterprise Configurations

A low-cast, portable Evil Twin (ET) attack setup

Professor Chau Sze-yiu’s team won the Best Paper Award at the 16th ACM Conference on Security and Privacy in Wireless and Mobile Networks (ACM WiSec 2023)

Different types of liveness detection schemes used by facial recognition systems

From left: Professor Lau Wing-cheong and Professor Chau Sze-yiu