Harvard duo hacks Meta Ray-Bans to dox strangers on sight in seconds
- Reference: 1728023525
- News link: https://www.theregister.co.uk/2024/10/04/harvard_engineer_meta_smart_glasses/
- Source link:
AnhPhu Nguyen and Caine Ardayfio, who've collaborated previously on some positively [1]explosive projects, shared their [2]latest project on X in the form of a pair of camera-fitted [3]Meta Ray-Bans smart glasses that can attempt to automatically and swiftly identify anyone in view of the device's camera and return an AI-generated dossier on them.
Dubbed " [4]I-XRAY " by Nguyen and Ardayfio, the project uses Meta glasses to stream videos to Instagram. Faces captured from the specs' livestream are fed through services like PimEyes, which match the images to publicly available ones and return the URLs. With at least a name, I-XRAY can then cross-reference this data using people-search sites to find addresses and other details – potentially even partial Social Security numbers, pieced together from different sites displaying SSN fragments.
Are we ready for a world where our data is exposed at a glance? [5]@CaineArdayfio and I offer an answer to protect yourself here: [6]https://t.co/LhxModhDpk [7]pic.twitter.com/Oo35TxBNtD — AnhPhu Nguyen (@AnhPhuNguyen1) [8]September 30, 2024
The server-side system doing the work, built by the pair in Python, spits its LLM-summarized results to a mobile app built in JavaScript, and boom: A mini biography on anyone, available instantly. Or, almost instantly – Ardayfio told us the app is actually a bit slow, and usually takes "a minute or so" to pull results.
To top it all off, every bit of data I-XRAY pulls is publicly available – making this a potential open source intelligence privacy nightmare.
All style – and some substance, too
Using a pair of smart glasses for the project was relatively arbitrary, Nguyen told us in an email exchange, and was largely down to making a flashy choice that would attract attention.
"Ninety-nine percent of the damage a bad actor could make from this tool is independent of whether they have smart glasses," Nguyen explained. "Someone could very easily, discreetly, take a picture of someone from afar – cameras have 50x zoom today. They're really good at that."
[9]NFL to begin using face scanning tech across all of its stadiums
[10]Can I phone a friend? How cops circumvent face recognition bans
[11]Remote ID verification tech is often biased, bungling, and no good on its own
[12]Data watchdog fines Clearview AI $33M for 'illegal' data collection
Any hidden – or [13]not-so-hidden – camera could be used to do what the duo did, they told us. And it doesn't take much coding know-how either: The pair only needed two or three days of coding, around four to six hours a day, to get the project running, Nguyen recalled. While Ardayfio has nine years of coding experience, and Nguyen three, that doesn't matter, we're told.
"Anyone who can run some simple web automations with ChatGPT can build this," Nguyen said. "It's astonishing that you can build this in a few days – even as a very naïve developer."
[14]
The duo doesn't intend to release their code – primarily because of its potential for misuse. But they noted it was also originally just a side project that wouldn't be fit for public consumption.
[15]
"The tech works okay," Ardayfio told The Register . "But it's slow, and not fully accurate."
"Our main goal [was] to show people what's possible with fairly standard technology so that people can take their own privacy and data into their hands," Ardayfio added. "Bad actors already know how to do what we did, but we can help the good guys and the general public be more conscious of how to protect themselves."
[16]
Consumer Reports' Yael Grauer maintains an extensive list of data broker websites – and what needs to be done to request information deletion – [17]on GitHub , for those who would like to minimize their online presence. ®
Get our [18]Tech Resources
[1] https://anhphu.notion.site/Punch-Activated-Flamethrower-c7a6739b05b04a94a92803f0226e1e69
[2] https://twitter.com/AnhPhuNguyen1/status/1840786336992682409
[3] https://www.theregister.com/2023/09/28/meta_connect/
[4] https://docs.google.com/document/d/1iWCqmaOUKhKjcKSktIwC3NNANoFP7vPsRvcbOIup_BA/preview
[5] https://twitter.com/CaineArdayfio?ref_src=twsrc%5Etfw
[6] https://t.co/LhxModhDpk
[7] https://t.co/Oo35TxBNtD
[8] https://twitter.com/AnhPhuNguyen1/status/1840786336992682409?ref_src=twsrc%5Etfw
[9] https://www.theregister.com/2024/08/06/nfl_face_scanning_tech/
[10] https://www.theregister.com/2024/05/20/cops_circumvent_facial_recognition/
[11] https://www.theregister.com/2024/09/30/remote_identity_verification_biased/
[12] https://www.theregister.com/2024/09/03/clearview_ai_dutch_fine/
[13] https://www.theregister.com/2024/08/05/keir_starmer_facial_recognition/
[14] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2Zv-8xop0bT2mC0zlRIfeeAAAAEQ&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[15] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44Zv-8xop0bT2mC0zlRIfeeAAAAEQ&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[16] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44Zv-8xop0bT2mC0zlRIfeeAAAAEQ&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[17] https://github.com/yaelwrites/Big-Ass-Data-Broker-Opt-Out-List?tab=readme-ov-file
[18] https://whitepapers.theregister.com/
No, Mister von Lipvig, that's just because your face IS so forgettable! Surprised yourself shaving in the mirror again this morning, did you?
I came to dox strangers on sight in seconds and to chew bubble gum… and I’m all out of bubble gum.
As a good American...
...Wait, that doesn't make any sense. Look at what these two idiot have created because they want to "help us." Shame on them for seeking glory early and not completing the scientific process in order to find a way to stop it from working. If only Lou Reed were still with us to write a rock anti-anthem that would put them in their place.
Also: Thumbs Down to you too! Just because you can never means you should.
Re: As a good American...
I see the angle you're going for but come on use a bit of logic.
This type of thing talked about in the article has been envisioned in films for decades like Robocop or Terminator and one of my favourite ahead of it's time (or was it) films enemy of the state. Therefore with the idea out there it would only be a matter of time before someone did what these two did. In fact it wouldn't be of any surprise to me if it's not already being done especially in the realms of law enforcement and three letter agencies. I can also guarantee without any doubt that someone somewhere is in the process of adapting this for supermarkets to combat theft if they already haven't.
It's not a case of "Just because you can never means you should" it's "Just because you can means you should let people know". Think of it as a vulnerability. Now we know about it we can take steps to mitigate it. Personally my online presence is available but my photograph is extremely rare (maybe 1 or 2 obscure pictures from over a decade ago) and I intend to keep it that way.
They have done some good work here and it should be acknowledged.
Re: As a good American...
Oh a post from an AC! How sweet! When do you expect your balls to drop?
I don't give rats ass how good the work was. I don't care how pure their intentions were.
Reverse engineering an atomic bomb just leads to more atomic bombs.
They rent the Holy Veil anonymity! Do nation states have the power to combat this for the good of Humanity As A Species? Did they even bother to consult the UNHRC? No one can now be unknown whether for good or bad! And they are PROUD of it!
Do you really expect me to be happy that they just put it out there like: "I'm sodomizing you. Enjoy it!"????????????????????????
EDIT: If you think I care that you are down voting me for speaking the truth then just down vote some more. Go on. Click my name. To everything I have ever writen on these forums and down vote some more. Be PROUD about it!
Re: As a good American...
You obviously cared enough about getting down voted to make an edit specifically for it. And for that you get my down vote on that post.
Re: As a good American...
I expect that he doesn't give a shit about upvotes/downvotes because he is older than 12.
Re: As a good American...
You do know that by saying you don't care about something the fact you even need to say it means that you do in fact care. I also didn't know I was in the presence of a "truth speaker" who likes to announce it so everyone knows they have some sort of god complex.
Re: As a good American...
They weren't reverse engineering an atomic bomb which already existed, they came up with a working example of what some Big Tech corp is surely already working on with the hope of mobilising opposition to it.
Or would you like to wake up one morning and find Meta has dropped a new app which does this and there's no going back?
Re: As a good American...
Some people won’t believe a thing can be done unless they see it happening, and, in the case of this sort of thing if it can be done somebody hidden away in a dark corner is already quietly doing it (and probably not for your benefit).
So yeah, if you can you absolutely should because it’s the only reliable way of getting enough people to care about this sort of thing…
Re: As a good American...
'stop it from working' an interesting proposal, which would probably involve nuking linkedin/facebook/ecquifax/transunion and any number of huge data harvesters from orbit, i suspect this would meet quite some resistance.
Maybe the problem lies not with the AFR, but with the unconstrained data harvesting and people throwing thier PII up on the internet without consideration, that preceeded it?
Re: As a good American...
"'stop it from working' an interesting proposal, which would probably involve nuking linkedin/facebook/ecquifax/transunion and any number of huge data harvesters from orbit, i suspect this would meet quite some resistance."
I don't know ..... that sounds like a damn good idea to me!
Black Mirror
This reminds me of the Black Mirror episode where everyone has implants in their eyes which flash up information in a constant feed and if you decide to block someone they are shown as a grey blob in your vision and they cannot communicate with you. Sounds perfect for door-to-door salesmen.
But seriously, this is complete privacy nightmare although probably old-hat for one of the five-eyes organisations.
Re: Black Mirror
If what these researchers have done doesn't wake people up and reflect on the tip of the iceberg of what both Big Brother/organised criminals can actually do now, I don't know what does ...
There has been a major backlash in the UK against routine police surveillance of political marches, strikes and that sort of thing. Up until a few years ago this would result in a dataset of thousands of pictures of law-abiding people on marches or protests which would/should only be of relevance if those faces could be matched to datasets of other illegal activity. There has been a lot of screaming about removal of those pictures as they are of law abiding citizens engaging in lawful activities.
Now it seems, not only can those datasets be collected (it even appears that the current Government are condoning and even encouraging their use) but probably pumped through facial recognition systems in almost real time to be identified. At this point "we have deleted the images of law abiding citizens" would be a valid statement to privacy campaigners but a more accurate completion would be " and no longer require the images as we have identified the individuals, have a full personal, financial and social profiles, who they talk to and where they were last summer."
"so that people can take their own privacy and data into their hands"
I'm sorry, but I strongly feel that the days where we could take care of our own privacy are long gone.
Ever since Google, our privacy has been in the hands of strangers in suits sitting in plush, expensive rooms who only think of how they can monetize our private lives.
And Eric Schmidt is the asshole who started it. Damn him. (but, if not him, there would have been another)
Re: "so that people can take their own privacy and data into their hands"
Not using Google would be a start.
The glasses don't necessarily need to look up people. They should just create book of faces and tell you if you have seen someone already. You could create your own "dossier" for each face.
This way you can learn if someone is following or observing you or figure out if you are surrounded by random NPCs.
For instance if each day you see very much only new faces, then it means you may be in the lower version of simulation.
If you see someone wearing these glasses then there is no need to dox them. They have given away the fact that they have a facebook account and therefore must be a total wanker.
Bally up
Balaclavas will be the norm before long.
Finally a solution for my prosopagnosia!