Microsoft designed it Windows Hello to be compatible with webcams of different brands, but this feature designed for easier adoption could also make the technology vulnerable to bad actors. As he reported Wired, were managed by researchers from the security firm CyberArk to deceive Hello face recognition system that uses pictures of the computer owner’s faces.
Windows Hello requires the use of cameras with RGB and infrared sensors, but researching the authentication system, the researchers found that it only handles infrared frames. To confirm their discovery, the researchers created a custom USB device into which they loaded the user’s infrared photos and RGB images of Spongebob. Hello recognized the device as a USB camera and successfully unlocked it only using the user’s IR photos. Moreover, the researchers found that they don’t even need more IR images – one IR frame with one black frame can unlock a PC protected by Hello.
Breaking into someone’s computer using a technique would be terribly difficult to perform in reality, because an attacker still needs a user’s IR photo. However, it is still a weakness that could be exploited by those who are especially motivated to infiltrate someone’s computer. Technical companies need to ensure that their authentication technologies are secure if they want to increasingly rely on biometrics and move away from passwords as a means of authentication. The CyberArk team decided to put Windows Hello under the magnifying glass, as it is one of the most commonly used password-free authentication systems.
Microsoft is already released patches for what it calls “Security Feature Bypass Vulnerability.” The technical giant is also proposing the inclusion of “Enhanced Login Security for Windows Hello,” which will encrypt user face data and store it in a protected area.
All products recommended by Engadget are selected by our editorial team, regardless of our parent company. Some of our stories include associated links. If you purchase something through one of these links, we may earn an associated commission.