Over the years, there has been a lot of push for Image recognition systems and more and more companies are entering the field each with their own claims of supernatural accuracy. Plus, with all the amazing ‘tech’ being showcased in the movies and on TV people are primed to expect that level of accuracy. Unfortunately, reality is a lot more weird and based on research its pretty simple to fool image recognition systems. In the past people have tricked systems to misidentifying a banana as a toaster by modifying parts of the image. There was another recent event where the Tesla self navigation system kept thinking the moon was a Yellow light and insisted on slowing down. There are so many of these ‘edge’ cases that it is not even funny.
A specific use case for image recognition is Facial recognition and that is a similar mess. I have personally used a photo of an authorized user to get a recognition system to unlock a door during testing. We have cases where wearing glasses confuses the system that it locks you out. Now according to research conducted by the Blavatnik School of Computer Science and the school of Electrical Engineering it is possible to create a ‘master’ face that can be used to impersonate multiple ID’s. In their study they found that the 9 faces created by the StyleGAN Generative Adversarial Network (GAN) could impersonate 40% of the population. Testing against the University of Massachusetts’ Labeled Faces in the Wild (LFW) open source database they were able to impersonate 20% of the identities in the database with a single photo.
Basically, they are exploiting the fact that most facial recognition systems use broad sets of markers to identify specific individuals and StyleGAN creates a template containing multiple such markers which can then be used to fool the recognition systems.
Abstract: A master face is a face image that passes face-based identity-authentication for a large portion of the population. These faces can be used to impersonate, with a high probability of success, any user, without having access to any user-information. We optimize these faces, by using an evolutionary algorithm in the latent embedding space of the StyleGAN face generator. Multiple evolutionary strategies are compared, and we propose a novel approach that employs a neural network in order to direct the search in the direction of promising samples, without adding fitness evaluations. The results we present demonstrate that it is possible to obtain a high coverage of the population (over 40%) with less than 10 master faces, for three leading deep face recognition systems.
Their paper has been published and is available for download here: Generating Master Faces for Dictionary Attacks with a Network-Assisted Latent Space Evolution.
With more and more companies pushing for AI based recognition systems as fool proof systems (looking at you Apple, with your latest nonsense about protecting kids by scanning personal photos) it is imperative that more such research is conducted before these systems are pushed into production based on the claims in their marketing brochures.
Thanks to Schneier on Security: Using “Master Faces” to Bypass Face-Recognition Authenticating Systems
– Suramya