Hacking the PS4′s facial recognition by creating a universal login key
A lesser known feature of the PS4 is that if the PlayStation Camera is connected, you can log into a user account via facial recognition. During testing, we found that both the calibration and facial recognition login were highly accurate. So, we did what any good journalists would do and tested the limits of the camera’s accuracy by becoming Iron Man.
If set up in the appropriate conditions — decent lightning, your cool-guy long hair not obscuring your eyebrows, standing the sweet spot distance from the PS Camera — the facial recognition calibration is quick and simple. After it recognizes your face, it asks you to perform some relaxing loosening motions with your head and neck, the same ones you’d do before preparing for some shoulder shrugs. Tilt your head side to side, rotate it back and forth, nod up and down, and your visage will be recognized by the PS4. Though the facial recognition login featured is convenient, it can also be used as an extra layer of security — which we decided to try and crack.
We used one of many Iron Man masks we had lying around our professional workplace. The PS4 would not recognize it no matter how many posh poses were struck. This was likely due to the mask’s lack of facial features, so we grabbed a Sharpie and created. The PS4 helpfully suggests that we make sure our eyebrows are unobscured, so we drew some eyebrows onto our mask. We also gave the mask a little cartoon nose, partly because it’s hilarious, but mainly because the blank slate of Iron Man’s mask doesn’t look very much like a human face. That masterpiece made it through the first head relaxation exercise, but not the second, so we added a more noticeable item in the nose region in the hope that it would simulate the real sniffly deal.
Despite my cold, dead eyes, the piece of tape actually did the trick, and the facial calibration was a breeze. The PS4 immediately noticed when I walked into the picture, and each relaxation exercise worked quickly, instantly passing the test after only a couple of novice-level head maneuvers.
We attached the facial recognition settings to a separate PS4 account, and hoped for the best. During calibration, I was immediately recognized with the addition of the tape-nose, but during the actual login, the calibrated mask was not recognized, tape-nose and all. This is likely because a calibration procedure accepts as much data as possible in order to make it work, but then that data is tightened up for the actual login, to prevent false positives.
The nose and the mouth of the mask are the least human-like features, so we got to work creating some nose-based topography, as well as making the mouth less of an inhuman frowning slit (through the use of a mustache).
In our newly minted Iron Marx costume, we successfully ran through the initial calibration, but we managed that during our noseless pursuits. The true test was getting the facial recognition to work for the login process. It took a bit of fidgeting around, but Iron Marx was recognized.
When I’m Iron Marx’s secret identity, as seen above, the facial recognition is triggered and allows the login. Since the mask was the visage that was calibrated (rather than my face), we decided to switch it to someone else who doesn’t look anything like me, our own Sebastian Anthony. Our body types are quite different, so if Iron Marx worked as worn by Sebastian, then we will have truly created our universal login key.
As you can see from the image below, it worked. Now we know that masks can be accepted regardless of the person wearing them, thus creating the universal login item. We didn’t stop there, though
We noticed Iron Marx only worked when it had the nose jutting out, so we felt that one aspect of an image the camera looked for was depth. So, to test that, we took a photograph of Sebastian — whose natural, unmasked face was already connected to a user account — and planned on printing it out and holding it up in front of the PS Camera. However, we wanted to create a difficult scenario for the facial recognition system, so instead of just printing out a flat picture on paper, we loaded up the image in portrait mode on a Microsoft Surface 2. We figured the reflective display would pose a problem, so if that — plus the flat image — would be accepted, then you could log into the PS4 under someone else’s account.
It worked, and it didn’t take much fidgeting around like when we donned the Iron Marx mask. The only adjustments we needed to make were to scale the photo to a size similar to a human head, and to turn the Surface 2 display’s brightness down. We tried with a smartphone, but that didn’t fly; the screen is probably too small.
So, what did we learn? You can create a mask that anyone can wear that will successfully log you into a PS4. This isn’t too dangerous, though, as it can only log into the account that it was calibrated with. However, using a simple image (even when displayed on a tablet), you can log into someone else’s PS4 account. If they have the automatic PSN login set up, you could conceivably access their PlayStation Store account and make a bunch of unwanted purchases with their credit card — assuming all of the appropriate information is stored on the system.
When you begin the facial recognition set up, Sony has a disclaimer displayed on-screen that states the facial recognition feature shouldn’t be used as a form of security, but is more for convenience than anything. Considering you can log in using a ridiculous mask or a picture of a human, Sony knew what it was talking about, and you really should heed its advice.
-----------------------------------------------------------------------------------------------------------------------------
epic fail.
