Security researchers fool Microsoft’s Windows Hello authentication system

Microsoft designed Windows Hello to be compatible with webcams across multiple brands, but that feature designed for ease of adoption could also make the technology vulnerable to bad actors. As reported by Wired, researchers from the security firm CyberArk managed to fool the Hello facial recognition system using images of the computer owner’s face.

Windows Hello requires the use of cameras with both RGB and infrared sensors, but upon investigating the authentication system, the researchers found that it only processes infrared frames. To verify their finding, the researchers created a custom USB device, which they loaded with infrared photos of the user and RGB images of Spongebob. Hello recognized the device as a USB camera, and it was successfully unlocked with just the IR photos of the user. Moreover, the researchers found that they didn’t even need multiple IR images — a single IR frame with one black frame can unlock a Hello-protected PC.

Breaking into someone’s computer using the technique would be terribly hard to pull off in reality, seeing as the attacker still needs an IR photo of the user. That said, it’s still a weakness that could be exploited by those especially motivated to …read more