Skip to main content
  1. Home
  2. Computing

Researchers disclose vulnerability in Windows Hello facial recognition

By

Researchers at the security firm CyberArk Labs have discovered a vulnerability in Microsoft’s Windows Hello facial recognition system in Windows 10 and Windows 11. Calling it a “design flaw,” the researchers say that hackers can get around Windows Hello by using a certain type of hardware to eventually gain access to your PC.

Though it isn’t exactly something that is easily accomplished (and Microsoft says it has mitigated the vulnerability), there’s a very specific set of conditions that can lead to the bypassing. In all cases, hackers would need to capture an IR image of the victim’s face, have physical access to the victim’s PC, and also use a custom USB device that can impersonate a camera. CyberArk Labs describe the six-part process on its website, with a video showing the proof-of-concept.

A six step diagram showing the vulnerability in Windows Hello.

Per the firm, this is all possible because Windows Hello will only process IR camera frames when trying to authenticate a user. “One would need to implement a USB camera that supports RGB and IR cameras. This USB device then only needs to send genuine IR frames of the victim to bypass the login phase, while the RGB frames can contain anything,” said CyberArk’s Omer Tsarfati.

Recommended Videos

There currently is no evidence that this vulnerability has been actively used, but CyberArk Labs warns that someone with the right skills can use this to target journalists and others with sensitive content on their devices. It is also important to note that the research was done on Windows Hello for Business and not the consumer version of Windows Hello. There is still, though, the chance that this vulnerability could apply to other security systems where a third-party USB camera is used as a biometric sensor.

Related

CyberArk labs submitted this vulnerability to Microsoft back on March 23, 2021. Microsoft acknowledged this issue a day later. Microsoft has since assigned a CVE for the issue, sharing mitigation via a security update on July 13.

According to Microsoft, this patch mitigated the issue and Windows Hello Enhanced Sign-in Security can protect against such attacks. CyberArk, though, points out that the mitigation depends on having devices with specific cameras, and the “inherent to system design, implicit trust of input from peripheral devices remains.” An investigation is still ongoing.

Editors' Recommendations

Topics
Arif Bacchus
Arif Bacchus
Computing Writer
Arif Bacchus is a native New Yorker and a fan of all things technology. Arif works as a freelance writer at Digital Trends…
The Windows Copilot puts Bing Chat in every Windows 11 computer
Copilot in Windows being used in the side panel.

Announced at Microsoft Build 2023, Windows will now have its own dedicated AI "copilot" that can be docked right into a side panel that can stay persistent while using other applications and aspects of the operating system.

Microsoft has been highly invested in AI over these recent months, and it was only a matter of time before it came to Windows. The time is now -- and it's coming in a big way.

Read more
Windows 11 just gained one of the primary reasons to buy a Mac
The Phone Link app being used on a phone and laptop screen.

The Apple ecosystem is the reason many people flock to the Mac over Windows devices. They already own an iPhone, so buying a Mac that works easily with it seems like an obvious next step.

Now, however, the highly requested Phone Link app for Windows 11 finally supports iPhone, finally making some of those ecosystem features a bit more cross-platform. The update to the app was announced in late April but is available to use today.

Read more
A version of Windows 11 for handheld gaming? Yes, please
Windows 10 running on the Steam Deck.

Microsoft might have just given us a small, but hopeful glimpse of a possible Windows 11 gaming UI designed to be used with small handheld gaming devices. It might also be a sign that Redmond is finally taking portable PC gaming more seriously.

During an internally-hosted Microsoft hackathon event back in September, an experimental Windows interface has gotten the attention of the portable gaming device community, thanks to a tweeted leak. Called "Windows Handheld Mode", the interface essentially brings a gaming shell or launcher in lieu of a regular Windows 11 desktop UI.

Read more