Windows Hello is supposed to ensure a simple and secure login at the same time. However, security researchers have now been able to use a trick to bypass the facial recognition solution.
Microsoft has combined the options for biometric registration under the name Windows Hello. In addition to fingerprint scanners, the system also supports face recognition. A webcam is absolutely necessary for this, which, in addition to a normal image sensor, can also produce an infrared image of the computer owner. The problem: A camera can be connected to the computer and used for identification even when it is locked. This is exactly what security experts have now made use of to undermine the system.
The company’s security researchers Cyberark have built a USB device for this purpose, which sends an infrared image of the computer owner to Windows. In this way, the computer could be unlocked without the owner even being in the room. “Our results show that any USB device can be cloned, and that any USB device can impersonate a different USB device. The operating system cannot verify the authenticity of such a device, at least not according to the USB specification, ”explains Omer Tsarfati from Cyberark to Wired.
Windows Hello: Microsoft responds with security patches
Microsoft has meanwhile Updates for the affected Windows 10 versions released. Cyberark believes that this will reduce the attack potential. Due to the system, face recognition still has to believe the data from a peripheral device. As a possible solution to this, the security experts suggest that Windows should check the integrity of the device before use.
It is unclear whether the attack scenario uncovered by Cyberark has actually been exploited by hackers. Ultimately, an attacker would need an infrared image of the victim and physical access to their computer. The security gap would therefore be particularly relevant for espionage.