Biometric authentication is a key part of technology industry plans make a world without a password. Or a new method for copying Microsoft Windows Hello the face recognition system shows that a little hardware tampering can trick the system into unlocking when it shouldn’t.
Services like Apple’s FaceID have made face recognition authentication more common in recent years, and Windows Hello has adopted adoption even further. Apple only allows you to use FaceID with cameras built into recent iPhones and iPads, and the Mac is not yet supported. But because Windows hardware is so diverse, Hello Face Recognition works with a number of third-party vendors webcams. However, where some might notice the ease of adoption, researchers from security firm CyberArk have seen potential vulnerability.
This is because you can’t believe any old webcam offers robust protection for the way it collects and transmits data. Windows Hello Face Detection only works with webcams that have an infrared sensor in addition to the usual RGB sensor. But it turns out that the system doesn’t even look at RGB data. Which means researchers with one direct infrared image of the target’s face and one black frame found they could unlock the victim’s device protected by Windows Hello.
By manipulating a USB webcam to deliver an image chosen by an attacker, researchers could trick Windows Hello into thinking the device owner’s face is present and unlocking.
“We tried to find the weakest point in facial recognition and what would be the most interesting, most accessible option from the attacker’s perspective,” says Omer Tsarfati, a researcher at security firm CyberArk. “We created a complete map of the face recognition workflow in Windows Hello and saw that it would be most convenient for the attacker to play the camera, because the whole system relies on this input.”
Microsoft calls the finding a “Windows Hello Security Feature Bypass vulnerability.” published patches on Tuesday to address the issue. In addition, the company suggests that users enable Windows Hello Enhanced Sign-in Security, which uses Microsoft’s Virtualization-Based Security to encrypt Windows Hello face data and process it in a protected area of memory where it cannot be mixed with. The company did not respond to WIRED’s request for comment on CyberArk’s findings.
Tsarfati, who will present the findings at the Black Hat security conference in Las Vegas next month, says the CyberArk team decided to verify the authenticity of Windows Hello face recognition because there has already been a lot of research across the industry. PIN cracking i fingerprint sensor forgery. He adds that the team was attracted by a significant Windows Hello user base. In May 2020, Microsoft said the service had more than 150 million users. In December, the company added that 84.7 percent of Windows 10 users log on with Windows Hello.
Although it sounds simple – show the system two photos and you are – these Windows Hello workarounds would not be easy to implement in practice. Hacking requires that attackers have a quality infrared image of the target’s face and physical access to their device. But the concept is significant because Microsoft continues to push for the adoption of Hello with Windows 11. The hardware diversity among Windows devices and the deplorable state of IoT security can combine to create other vulnerabilities in the way Windows Hello accepts facial data.
“A really motivated attacker could do that,” Tsarfati says. “Microsoft has been great at working and mitigating the consequences, but the deeper issue of trust between computers and cameras remains there.”