By Fooling a Webcam, Hackers were Able to get Past Windows Hello


Biometric authentication is a critical component of the IT industry's plan to eliminate the need for passwords. However, a new method for fooling Microsoft's Windows Hello facial recognition technology demonstrates that a little hardware tinkering can make the system unlock when it shouldn't.

Face-recognition authentication has become more prevalent in recent years thanks to services like Apple's FaceID, with Windows Hello driving usage even further. Face recognition by Hello is compatible with a variety of third-party webcams. 

Only webcams having an infrared sensor in addition to the conventional RGB sensor operate with Windows Hello facial recognition. However, it turns out that the system doesn't even look at RGB data. The researchers discovered that by using a single straight-on infrared image of a target's face and a black frame, they were able to open the victim's Windows Hello–protected device. The researchers were able to fool Windows Hello into thinking the device owner's face was there and unlocking by manipulating a USB webcam to produce an attacker-chosen image. 

“We tried to find the weakest point in the facial recognition and what would be the most interesting from the attacker’s perspective, the most approachable option,” says Omer Tsarfati, a researcher at the security firm CyberArk. “We created a full map of the Windows Hello facial-recognition flow and saw that the most convenient for an attacker would be to pretend to be the camera because the whole system is relying on this input.”

Microsoft dubbed the discovery a "Windows Hello security feature bypass vulnerability" and patched the problem on Tuesday. Furthermore, the company recommends that users use "Windows Hello enhanced sign-in security," which employs Microsoft's "virtualization-based security" to encrypt Windows Hello facial data and process it in a secure area of memory. 

Tsarfati, who will present the findings at the Black Hat security conference in Las Vegas next month, says the CyberArk team focused on Windows Hello's facial-recognition authentication because there has already been a lot of research into PIN cracking and fingerprint-sensor spoofing in the industry. 

He goes on to say that the team was attracted by a large number of Windows Hello users. Microsoft said in May 2020 that the service had over 150 million users. In December, Microsoft announced that 84.7 percent of Windows 10 users utilize Windows Hello to log in.