Windows Hello verification was hackable with infrared photos

Posted on Monday, Jul 19 2021 @ 15:35 CEST by Thomas De Maesschalck
MSFT
Authentication technology is used very widely these days. In the past, a password was the most commonly used method but over the past decade, there's been a big increase in the use of biometrics. Unfortunately, not every authentication method offers absolute security.

Security experts trick Windows Hello with infrared picture

ARS Technica writes Microsoft's Windows Hello facial recognition system was hackable with a little fiddling. While Apple uses its FaceID system exclusively on the iPhone and iPad, the Windows Hello facial recognition from Microsoft is a lot more open. Windows Hello works with a wide variety of webcams that have an infrared sensor in addition to the regular RGB sensor.

Security researchers from CyberArk discovered they could trick Windows Hello into unlocking a computer by manipulating a USB webcam to deliver a straight-on infrared image of the target's face plus a black frame. It's not necessary to provide a regular image of the target because Windows Hello exclusively uses the infrared data -- the RGB data gets discarded.

Is an attack easy to carry out?

The answer here is no. An attacker needs a decent infrared image of the victim plus physical access to the device.
While it sounds simple—show the system two photos and you're in—these Windows Hello bypasses wouldn't be easy to carry out in practice. The hack requires that attackers have a good-quality infrared image of the target's face and have physical access to their device. But the concept is significant as Microsoft continues to push Hello adoption with Windows 11. Hardware diversity among Windows devices and the sorry state of IoT security could combine to create other vulnerabilities in how Windows Hello accepts face data.
Microsoft issued patches on July 13th to address this issue. The software giant also recommends users to switch on "Windows Hello enhanced sign-in security." This is a feature that uses virtualization to store the Windows Hello face data in a protected area of the computer memory -- to ensure it can't be tampered with.


About the Author

Thomas De Maesschalck

Thomas has been messing with computer since early childhood and firmly believes the Internet is the best thing since sliced bread. Enjoys playing with new tech, is fascinated by science, and passionate about financial markets. When not behind a computer, he can be found with running shoes on or lifting heavy weights in the weight room.



Loading Comments