Face Recognition Systems (FRS) have increasingly integrated into critical applications, including surveillance and user authentication, highlighting their pivotal role in modern security systems. Recent studies have revealed vulnerabilities in FRS to adversarial (e.g., adversarial patch attacks) and backdoor attacks (e.g., training data poisoning), raising significant concerns about their reliability and trustworthiness. Previous studies primarily focus on traditional adversarial or backdoor attacks, overlooking the resource-intensive or privileged-manipulation nature of such threats, thus limiting their practical generalization, stealthiness, universality and robustness. Correspondingly, in this paper, we delve into the inherent vulnerabilities in FRS through user studies and preliminary explorations. By exploiting these vulnerabilities, we identify a novel attack, facial identity backdoor attack dubbed FIBA, which unveils a potentially more devastating threat against FRS:an enrollment-stage backdoor attack. FIBA circumvents the limitations of traditional attacks, enabling broad-scale disruption by allowing any attacker donning a specific trigger to bypass these systems. This implies that after a single, poisoned example is inserted into the database, the corresponding trigger becomes a universal key for any attackers to spoof the FRS. This strategy essentially challenges the conventional attacks by initiating at the enrollment stage, dramatically transforming the threat landscape by poisoning the feature database rather than the training data.

翻译：人脸识别系统已日益融入监控和用户认证等关键应用，凸显其在现代安全体系中的核心作用。近期研究揭示了人脸识别系统在面对对抗性攻击（如对抗性补丁攻击）和后门攻击（如训练数据投毒）时存在的脆弱性，引发了对其可靠性与可信度的重大关切。现有研究主要聚焦于传统对抗性或后门攻击，却忽视了此类攻击往往需要大量资源或依赖特权操控的特性，从而限制了其在实际场景中的泛化性、隐蔽性、普适性与鲁棒性。基于此，本文通过用户研究与初步探索，深入剖析人脸识别系统的内在脆弱性。通过利用这些漏洞，我们提出了一种名为FIBA的新型面部身份后门攻击，该攻击揭示了一种可能更具破坏性的威胁：注册阶段后门攻击。FIBA突破了传统攻击的局限性，通过允许任何佩戴特定触发器的攻击者绕过系统，实现了大规模破坏。这意味着只需在数据库中插入单个被污染的样本，对应的触发器就能成为任何攻击者欺骗人脸识别系统的通用密钥。该策略从根本上挑战了传统攻击模式——通过从注册阶段发起攻击，以污染特征数据库而非训练数据的方式，彻底改变了威胁格局。