Posted on Monday, July 19 2021 @ 15:35 CEST by Thomas De Maesschalck
Security experts trick Windows Hello with infrared picture
ARS Technica writes Microsoft's Windows Hello facial recognition system was hackable with a little fiddling. While Apple uses its FaceID system exclusively on the iPhone and iPad, the Windows Hello facial recognition from Microsoft is a lot more open. Windows Hello works with a wide variety of webcams that have an infrared sensor in addition to the regular RGB sensor.Security researchers from CyberArk discovered they could trick Windows Hello into unlocking a computer by manipulating a USB webcam to deliver a straight-on infrared image of the target's face plus a black frame. It's not necessary to provide a regular image of the target because Windows Hello exclusively uses the infrared data -- the RGB data gets discarded.
Is an attack easy to carry out?
The answer here is no. An attacker needs a decent infrared image of the victim plus physical access to the device.While it sounds simple—show the system two photos and you're in—these Windows Hello bypasses wouldn't be easy to carry out in practice. The hack requires that attackers have a good-quality infrared image of the target's face and have physical access to their device. But the concept is significant as Microsoft continues to push Hello adoption with Windows 11. Hardware diversity among Windows devices and the sorry state of IoT security could combine to create other vulnerabilities in how Windows Hello accepts face data.Microsoft issued patches on July 13th to address this issue. The software giant also recommends users to switch on "Windows Hello enhanced sign-in security." This is a feature that uses virtualization to store the Windows Hello face data in a protected area of the computer memory -- to ensure it can't be tampered with.
