IAL3 Biometric Spoof Challenge

Scenario

You are applying for a remote position at Obscura, a fictitious advanced technology firm where you must already be based in Florida. This role requires access to sensitive information systems and a rigorous IAL3 identity-proofing process. You have already completed the initial personality and interview checks. To proceed further in the hiring process, you must complete IAL2 and IAL3 identity verification. You are a US citizen and legally eligible to work as a lone threat actor in the US.

Challenge Objective

You aim to bypass the Trust Swiftly IAL3 biometric identity verification process using spoofing and identity evasion techniques, demonstrating your ability to impersonate another individual in a remote, in-person, supervised environment. The challenge focuses exclusively on biometric and identity spoofing and excludes other system penetration forms.

Prize Structure & Grading

A total prize pool of $100,000 is available. The amount you will be awarded is based on the level of bypass achieved from the remaining pool and the grading of your attempt during the IAL3 stage. Only attempts that successfully bypass IAL2 and reach the IAL3 stage are eligible for prize consideration.

Grading System for IAL3 Bypass

• A+ (Full Bypass – Up to $100,000): Successfully spoofs all biometric evidence collected during the IAL3 session and NIST requirements (SP-800-63), bypassing the prescribed IAL3 verification process.
• B (Limited Bypass – Up to $25,000): Demonstrates significant progress in spoofing multiple biometrics, including facial, showcasing potential vulnerabilities, but does not entirely bypass all NIST IAL3 requirements.
• C and Below (Fail - No Prize): No discernible attempt at biometric spoofing or easily detected spoofing attempts lacking sophistication.

Important Note: Only grades A+ through C+ are eligible for the bounty. The final grade is determined by Trust Swiftly's review team based on the recorded IAL3 session and submitted documentation. IAL2 is fully expected to be bypassed and will not result in any compensation.

Rules and Guidelines

1. Eligibility:

• The challenge is open to individuals aged 21 and over with a USA identity.
• Participants must agree to and comply with all rules and terms this document outlines.
• Employees and contractors of Trust Swiftly and its affiliates are not eligible to participate.

2. Entry Fee (IAL3 Stage Only):

• Upon successfully passing the IAL2 stage and being invited to IAL3, participants must pay a non-refundable entry fee of $500 USD.
• This fee covers the costs of grading and reviewing your IAL3 attempt, including expert analysis and administrative expenses. It may be refundable if any significant bypass is discovered.
• Payment instructions will be provided upon successful completion of IAL2.

3. Attempt Limits & Bans:

• Participants are granted only one attempt at the entire IAL2 and IAL3 challenge processes. While this may appear strict, it is in place to prevent obvious probing and reverse engineering the process.
• Disqualification at any stage results in a ban from future Trust Swiftly bounty programs and challenges, unless explicitly reauthorized by Trust Swiftly.
• Any attempt to circumvent the one-attempt rule or engage in malicious activity will result in immediate disqualification.
• Your biometrics from your initial attempt (successful or failed) will be recorded. Future attempts using your real biometrics will be immediately flagged and banned. Your data will be deleted at the end of the challenge.

4. Conduct and Ethics:

• Participants must conduct themselves ethically and professionally throughout the challenge.
• All applications must adhere to applicable laws and regulations.
• Participants must not engage in any activities that could disrupt or harm Trust Swiftly's systems or reputation beyond the scope of this challenge.
• Collusion with other participants or seeking unauthorized assistance during any stage is strictly prohibited and will result in disqualification.
• Participants must act as if this were an actual job application scenario.

5. Scope of the Challenge:

In Scope:

Biometric spoofing of facial and voice recognition systems during the IAL2 and IAL3 processes. This includes but is not limited to:

• Presentation attacks (e.g., photos, videos, masks, deepfakes) against facial recognition.
• Replay attacks, synthetic voice generation, voice cloning, and mimicking against voice recognition.

Out of Scope:

• Credential compromise (username/password attacks).
• Cross-site scripting (XSS), SQL injection, or other web application vulnerabilities.
• Social engineering tactics against Trust Swiftly personnel or systems.
• Infrastructure or administrative exploits.
• Denial-of-service (DoS) or distributed denial-of-service (DDoS) attacks.
• Physical tampering with Trust Swiftly infrastructure (except as explicitly instructed for IAL3 kiosk interaction).
• Any attack vector is not directly related to biometric spoofing.

6. Technical Requirements & Reproducibility:

• Your bypass solution must be technically reproducible and cost-effective.
• The estimated cost to reproduce your spoofing solution must not exceed $10,000 USD in commercially available hardware and software. Please provide a breakdown of estimated costs with your submission. The cost restriction creates a comparable adversary environment as we seek creative solutions that have a broad impact.
• Participants must document all tools, techniques, and methodologies used during the IAL2 and IAL3 processes.
• For IAL2 bypass attempts, participants must record their screen, showing both the input stream (e.g., camera view of the spoofing attempt) and the output stream (what is being processed by the system). This recording must be submitted with your final IAL3 submission if you successfully reach that stage.

7. Submission Requirements (IAL3 Successful Participants):

Successful participants who reach the IAL3 stage and have been informed they have achieved a bypass must submit the following:

• IAL2 Spoofing Technique Documentation and Recording: Detailed documentation of the tools, techniques, and methodologies used to bypass IAL2, including the screen recording as described above.
• Bypass Solution Description: A comprehensive written report detailing the IAL3 spoofing techniques used, including:
  • Step-by-step instructions for reproducing the bypass.
  • Hardware and software used, including versions and configurations.
  • Estimated cost to reproduce the solution (with a cost breakdown).
  • Explanation of why you believe your technique was successful.
• Real Biometric Submission (Pre-IAL3 Review): Before your IAL3 session and before the review process begins, you must submit a clear photograph of your actual face and a recording of your actual voice. This is crucial for verification and to ensure that the spoofed biometrics used during the challenge are indeed different from your real biometrics.

8. Legal and Ethical Considerations:

By participating in the challenge, you acknowledge and agree that:

• This is a simulated environment for security testing purposes only.
• Any data collected during the challenge will be used solely to evaluate your submission and improve Trust Swiftly's security.
• You will not use any information gained during this challenge for illegal or unethical activities.
• Trust Swiftly reserves the right to modify or terminate the challenge without prior notice.
• The decisions of Trust Swiftly's judging panel are final and binding.
• The laws of Washington, DC, USA, govern this challenge.

9. Disqualification:

Participants will be disqualified and banned for any of the following reasons:

• Failure to comply with any of the rules and guidelines outlined in this document.
• Attempting to bypass the system through out-of-scope methods.
• Engaging in unethical or illegal activities.
• Suspicious behavior or deviations from instructions during the IAL3 session, including:
  • Tampering with the kiosk device in a way that deviates from instructions.
  • Requesting human-to-human interaction during the remotely administered IAL3 session.
  • Intentionally delaying the process or claiming to have forgotten necessary documents.
  • Using external assistance during any stage of the challenge.
• Providing false or misleading information during registration or submission that is non-biometric related.

10. Judging and Results:

• Trust Swiftly's expert security team will evaluate all submissions and determine the winners based on the above grading system.
• The judging process will consider the effectiveness of the spoofing techniques, the level of bypass achieved, the clarity of documentation, and adherence to all rules and guidelines.
• Feedback provided to participants will typically be limited to pass/fail notifications for each stage. Detailed feedback on the reasons for failure or specific vulnerabilities identified may not be provided due to security considerations.
• Winners will be notified via email within 30 days of the challenge closing date.
• Prize payments will be made within 60 days of winner notification, subject to verification and compliance with all challenge terms.

IAL2 and IAL3 Process:

Initial Stage: IAL2 Remote Proofing

• Registration: Visit https://bounty.trustswiftly.com/signup/stage-1 to register for the challenge. You must provide basic information and agree to the challenge rules and terms.
• IAL2 Commencement: Upon successful registration, you will receive an email with instructions on beginning the IAL2 process. This process will be conducted remotely and unsupervised and will include additional supervised components. It also may be time-boxed and include additional identity verification requirements.
• IAL2 Biometric Capture and Verification: You will be prompted to complete an IAL2 identity verification process using your web camera and microphone. You must use spoofed biometrics for this stage. Remember to record your screen showing input and output streams during spoofing attempts.
• IAL2 Completion Notification: Upon completing IAL2, you will receive notification of either success or failure. If successful, you will be invited to proceed to the IAL3 stage and provided with payment instructions for the IAL3 entry fee. If you fail IAL2, you are disqualified from the challenge.

Final Stage: IAL3 Remote Supervised Kiosk Session

• IAL3 Entry Fee Payment: Pay the $500 USD entry fee as per the instructions provided in the IAL2 success notification email.
• IAL3 Scheduling: Once payment is confirmed, you will be contacted to schedule your IAL3 session. Sessions are conducted between 9:00 AM and 5:00 PM Eastern Time (EST), Monday through Friday. Due to limited availability, scheduling may be subject to delays.
• Kiosk Location Agreement: A mutually agreeable location for your IAL3 session in the US will be determined. This will typically be an accessible coworking space or office with a private meeting room. The location will be chosen to be convenient for you from a pre-approved list of locations.
• IAL3 Session Instructions: You will receive detailed instructions regarding the IAL3 session, including the location, time, and specific tasks to be performed at the kiosk.
• IAL3 Kiosk Interaction: You will go to the designated kiosk location at the scheduled time. You will interact with the kiosk device remotely, supervised by a Trust Swiftly agent. Continue to use spoofed biometrics during the IAL3 session. Follow all on-screen and verbal instructions carefully. The IAL3 session is designed to last approximately 10-15 minutes.
• IAL3 Session Completion: Upon completing the IAL3 session, you will be notified that your attempt is under review.
• Real Biometric Submission: Following your IAL3 session, you will receive instructions on submitting a clear photograph of your actual face and other real biometrics, as per submission requirements.

Analysis Stage: Review and Grading

• Expert Review: Trust Swiftly's security team will review your IAL2 recording, your IAL3 session (if recorded), your bypass solution documentation, and your submitted real biometrics.
• Grading and Notification: Your attempt will be graded according to the above grading system. You will be notified via email of your grade and prize award (if applicable).

Frequently Asked Questions

• What are the security measures in place to prevent cheating or manipulation of the spoofing attempts?
  • Anti-spoofing techniques and fraud detection will be dynamic and, therefore, adjust per your method of attack.
• Will there be any feedback or debriefing provided to participants after their attempt, regardless of the outcome?
  • No, unless we deem your attack novel to pursue further.

Contact Information:

For any questions regarding this bounty, please contact: [email protected]

Disclaimer: Trust Swiftly reserves the right to modify these rules and guidelines at any time. Participation in this challenge constitutes acceptance of these rules and policies as they are currently published. Good luck!