18. July 2021

This article has been indexed from E Hacking News – Latest Hacker News and IT Security News

Biometric authentication is a critical component of the IT industry’s plan to eliminate the need for passwords. However, a new method for fooling Microsoft’s Windows Hello facial recognition technology demonstrates that a little hardware tinkering can make the system unlock when it shouldn’t.

Face-recognition authentication has become more prevalent in recent years thanks to services like Apple’s FaceID, with Windows Hello driving usage even further. Face recognition by Hello is compatible with a variety of third-party webcams. 

Only webcams having an infrared sensor in addition to the conventional RGB sensor operate with Windows Hello facial recognition. However, it turns out that the system doesn’t even look at RGB data. The researchers discovered that by using a single straight-on infrared image of a target’s face and a black frame, they were able to open the victim’s Windows Hello–protected device. The researchers were able to fool Windows Hello into thinking the device owner’s face was there and unlocking by manipulating a USB webcam to produce an attacker-chosen image. 

“We tried to find the weakest point in the facial recognition and what would be the most interesting from the attacker’s perspective, the most approachable option,” says Omer Tsarfati, a researcher at the security firm CyberArk. “We created a full map of the Windows Hello facial-recognition flow and saw that the most convenient for an attacker would be to pretend to be the camera because the whole system is relying on this input.”