Microsoft designed Windows Hello to be compatible with cross-brand webcams, but that feature designed for easy adoption can also make the technology vulnerable to bad actors. As reported by The cable, researchers from the security company CyberArk managed to trick the Hello face recognition system using images of the computer’s face.
Windows Hello requires the use of cameras with both RGB and infrared sensors, but after examining the authentication system, the researchers found that it only processes infrared frames. To verify the findings, the researchers created a custom USB device, which they loaded with infrared images of the user and RGB images of Spongebob. Hello recognized the device as a USB camera and it was successfully unlocked with only IR pictures of the user. Furthermore, the researchers found that they did not even need multiple IR images ̵
Breaking into someone else’s computer using the technique will be very difficult to achieve in real life, since the attacker still needs an IR image of the user. That said, there is still a vulnerability that can be exploited by those who are particularly motivated to infiltrate other people’s computers. Technology companies need to ensure that their authentication technologies are secure if they want to rely more and more on biometrics and move away from passwords as a means of authentication. The CyberArk team chose to put Windows Hello under control because it is one of the most widely used password-free authentication systems.
Microsoft has already released updates for what they call “Hello Security Feature Bypass Vulnerability.” The technology giant also proposes to turn on “Windows Hello enhanced login security”, which will encrypt the user’s face data and store it in a protected area.
All products recommended by Engadget are selected by our editorial staff, regardless of the parent company. Some of our stories include affiliate links. If you buy something through one of these links, we can earn an associated commission.