When Tom Cruise turned up on TikTok recently playing golf, performing magic and eating lollypops, it quickly became yet another viral video sensation. The clips garnered over 11 million views on the social platform before they were removed. Yet as eagle-eyed viewers quickly noted, this was not the work of the Mission Impossible actor himself but a collaboration between Belgian visual effects artist Christopher Ume and Tom Cruise impersonator Miles Fisher.
So was this just a harmless prank, or a more worrying potent of a digitally altered future where nothing we view online can really be believed? Ume himself has said he wanted to draw people’s attention to how convincing deepfake tech has become today. CISOs should take note: the technology could give scammers the upper hand in the years to come.
How to make a fake
Deepfake makers utilise AI-offshoot deep learning to develop spoofed video and audio that’s increasingly tough to tell apart from the genuine article. These can be used to synthesise speech, manipulate facial expressions and even to swap entire faces.
The “autoencoder” is key. It’s deep neural network tech that can be trained to take a video input, compress it via an encoder and then rebuild it with a decoder. Using this technique, a system can be taught how to reconstruct a face from the compressed “essence” of that image: described here as a “latent face.”
To generate a deepfake, the system is taught separately how to encode and decode two different faces — eg, one of Tom Cruise and another of Fisher. By then passing the “latent face” of Cruise through the decoder used to rebuild the face of Fisher, the reconstructed face will meld the two. Thus, Cruise’s facial expressions appear to mimic Fisher’s. The same technology can be used to superimpose a different face altogether onto a targeted person.
It’s unclear which technique, or combination of other cutting-edge technologies, Ume actually used. His point was to use the best of what’s available today to show what could be possible to anyone tomorrow. “What now takes an inventive impersonator, a beefy computer, and a skilled practitioner days of work could be done by a simple Snapchat filter by 2025,” he told The Guardian.
That’s something that should worry anyone working in cybersecurity, given how quickly this could lower the barrier to entry for a range of possible scams.To generate a #deepfake, the system is taught separately how to encode and decode two different faces. By then passing the “latent face” of Cruise through the decoder used to rebuild the face of Fisher, the reconstructed face will meld the two.Click To Tweet
What happens next?
Save for the work of professionals like Ume, most deepfakes are pretty poor efforts designed by classroom pranksters. Inconsistencies, pixelation and other mistakes make them easy to spot. But the prospect of more convincing fakes is of concern primarily to politicians, who warn that videos could be developed to influence public opinion of one candidate or another. Psychologists believe that humans tend to form lasting impressions of people based on their first experience, which means even if a clip was subsequently proven to be fake it may still unconsciously affect our perception of a candidate.
A similar tactic could be used by cyber-criminals to manipulate the words coming out of a CEO’s mouth, or to stick their face onto the body of someone doing something illegal or controversial. They could use the tactic to extort the individual, or even to manipulate the stock price of their company.
Deepfakes could also theoretically be crafted to add legitimacy to business email compromise (BEC)-style impersonation attacks. In fact, fake audio clips have already been used to famously trick one CEO into wiring over $240,000 to fraudsters at the behest of his ‘German boss’. As the tech becomes more widespread, enterprising fraudsters will find yet more new ways to use it, such as bypassing facial and voice recognition systems.
Rising to the challenge
So what’s our best response? Phishing and its social, phone and text-based variants will for be the number one vector for such scams for the foreseeable future. But the arms race is constantly evolving, and with AI it’s set to become supercharged as both sides battle it out to gain supremacy.
Social media sites have sought to remove such content from their pages. Twitter revealed promised to label any content which has been “significantly and deceptively altered or fabricated” and is shared deceptively, and said it would remove deepfakes which could cause harm. Facebook, also said last year it would ban deepfakes outright, following YouTube’s lead. But the social media platforms are still playing catch-up when it comes to taking down controversial or illegal material, and in any case their actions would not tackle the challenge of privately emailed videos.
The best that corporate cybersecurity leaders can do for now is to update their security training and awareness policies. By ensuring staff can spot the tell-tale signs of deepfakes, and understand how they may be used against their employer, CISOs can built an effective first line of defence. The challenge next will be in designing tools to spot and block such fakes.
Security vendors like Barracuda Networks are already using advanced AI algorithms to better spot malicious messages, and in time will develop technology to do the same for deepfakes. The headlines are a cause for concern, but the industry has risen to challenges like this before. And it will do so again.
Phil Muncaster is a technology writer and editor with over 12 years’ experience working on some of the biggest technology titles around, including Computing, The Register, V3 and MIT Technology Review. He spent over two years in Hong Kong immersed in the Asian tech scene and is now back in London where information security has become a major focus for his work.