Biometric authentication is an important part of the technology industry’s plans to make the world passwordless. But a new method of cheating Microsoft’s Windows Hello face detection system shows that a little hardware fiddling can trick the system into unlocking when it shouldn’t.
Services like Apple’s FaceID have made face recognition authentication more common in recent years, with Windows Hello driving adoption even further. Apple only allows you to use FaceID with the cameras built into recent iPhones and iPads, and it is still not supported on Macs at all. But because Windows hardware is so diverse, Hello Face Detection works with a variety of third-party webcams. Where some may take adoption lightly, researchers at security firm CyberArk saw potential vulnerabilities.
This is because you can not trust that any old webcam offers robust protection in how it collects and transmits data. Windows Hello Face Detection only works with webcams that have an infrared sensor in addition to the standard RGB sensor. But the system does not even turn out to look at RGB data. Which means that with a straight infrared image of a target face and a black frame, the researchers found that they could unlock the victim̵
By manipulating a USB webcam to deliver an attacker-selected image, researchers could trick Windows Hello into believing that the device owner’s face was present and unlocked.
“We were trying to find the weakest point in face recognition and what would be most interesting from the attacker’s perspective, the most accessible option,” said Omer Tsarfati, a researcher at security firm CyberArk. “We created a complete map of the Windows Hello face recognition flow and saw that the most convenient thing for an attacker would be to pretend to be the camera, because the whole system trusts this input.”
Microsoft calls the finding a “Windows Hello security feature bypass vulnerability” and released updates on Tuesday to address the issue. In addition, the company suggests that users enable “Windows Hello Enhanced Login Security,” which uses Microsoft’s “virtualization-based security” to encrypt Windows Hello facial data and process it in a protected memory area where it cannot be tampered with. with. The company did not respond to a request for comment from WIRED regarding the CyberArk findings.
Tsarfati, who will present the findings next month at the Black Hat security conference in Las Vegas, says that the CyberArk team chose to look at Windows Hello’s face recognition approval, especially because there has already been a lot of research on PIN in the industry. cracks and fingerprint sensor. He adds that the team was pulled by the large Windows Hello user base. In May 2020, Microsoft said the service had more than 150 million users. In December, the company added that 84.7 percent of Windows 10 users logged in with Windows Hello.
Even if it sounds simple – show the system two pictures and you are in – these Windows Hello workarounds would not be easy to perform in practice. The hack requires that attackers have an infrared image of the target’s face of good quality and have physical access to the device. But the concept is important as Microsoft continues to push the Hello adoption with Windows 11. Hardware diversity among Windows devices and the deplorable state of IoT security can combine to create other vulnerabilities in how Windows Hello accepts facial data.
“A very motivated attacker can do these things,” said Tsarfati. “Microsoft was great to work with and produced mitigating conditions, but the deeper problem in itself if trust between the computer and the camera remains there.”