Skip to main content
  1. Home
  2. Computing

Researchers disclose vulnerability in Windows Hello facial recognition

By

Researchers at the security firm CyberArk Labs have discovered a vulnerability in Microsoft’s Windows Hello facial recognition system in Windows 10 and Windows 11. Calling it a “design flaw,” the researchers say that hackers can get around Windows Hello by using a certain type of hardware to eventually gain access to your PC.

Though it isn’t exactly something that is easily accomplished (and Microsoft says it has mitigated the vulnerability), there’s a very specific set of conditions that can lead to the bypassing. In all cases, hackers would need to capture an IR image of the victim’s face, have physical access to the victim’s PC, and also use a custom USB device that can impersonate a camera. CyberArk Labs describe the six-part process on its website, with a video showing the proof-of-concept.

A six step diagram showing the vulnerability in Windows Hello.
Image used with permission by copyright holder

Per the firm, this is all possible because Windows Hello will only process IR camera frames when trying to authenticate a user. “One would need to implement a USB camera that supports RGB and IR cameras. This USB device then only needs to send genuine IR frames of the victim to bypass the login phase, while the RGB frames can contain anything,” said CyberArk’s Omer Tsarfati.

Recommended Videos

There currently is no evidence that this vulnerability has been actively used, but CyberArk Labs warns that someone with the right skills can use this to target journalists and others with sensitive content on their devices. It is also important to note that the research was done on Windows Hello for Business and not the consumer version of Windows Hello. There is still, though, the chance that this vulnerability could apply to other security systems where a third-party USB camera is used as a biometric sensor.

Related

CyberArk labs submitted this vulnerability to Microsoft back on March 23, 2021. Microsoft acknowledged this issue a day later. Microsoft has since assigned a CVE for the issue, sharing mitigation via a security update on July 13.

According to Microsoft, this patch mitigated the issue and Windows Hello Enhanced Sign-in Security can protect against such attacks. CyberArk, though, points out that the mitigation depends on having devices with specific cameras, and the “inherent to system design, implicit trust of input from peripheral devices remains.” An investigation is still ongoing.

Editors’ Recommendations

Topics
Arif Bacchus
Arif Bacchus
Former Digital Trends Contributor
Arif Bacchus is a native New Yorker and a fan of all things technology. Arif works as a freelance writer at Digital Trends…
Whatever you do, don’t install the Windows 11 September update
Windows 11 logo on a laptop.

Microsoft has warned users in a post on its support blog that the September KB5043145 update, released on Thursday, is causing some Windows 11 PCs to restart multiple times, show the blue screen of death, or even freeze.

The problems in the recent update affect those on the 22H2 or 23H3 version of Windows 11. However, Microsoft said it is investigating the issue and will provide more information when it's available. Microsoft confirmed: "After installing this update, some customers have reported that their device restarts multiple times or becomes unresponsive with blue or green screens. According to the reports, some devices automatically open the Automatic Repair tool after repeated restart attempts. In some cases, BitLocker recovery can also be triggered."

Read more
Launching Windows 11 apps could get up to 50% faster thanks to this new tech
Microsoft Store Ads on a Dell XPS Laptop.

Windows Latest has spotted a recent support document post from Microsoft confirming native Ahead of Time (AOT) support has been added to the Windows App SDK. According to Microsoft, this could bring major improvements to the launch times of Windows 11 apps. In its own testing, Microsoft has measured a 50% reduction in start times and around an 8x reduction in package size.

The Windows App SDK exists to help developers use classic desktop app frameworks to make apps with access to modern APIs that can be used across all kinds of Windows devices.

Read more
A forced Windows update is coming next month
Windows 11 logo on a laptop.

Windows 11 version 22H2 will reach its end of servicing next month, and Microsoft has announced a forced update to 23H2 for October 8. This means machines running 22H2 (Home and Pro editions) will stop receiving updates after next month, leaving them vulnerable to security threats. Enterprise, Education, and Internet of Things (IoT) Enterprise editions running version 21H2 will also receive the automatic update.

In a post on the Windows Message Center, Microsoft urges users to update before October 8 or participate in the automatic update to keep themselves "protected and productive" since the monthly Patch Tuesday updates are "critical to security and ecosystem health."

Read more