Using a printed headshot, security researchers bypassed the Windows Hello facial authentication to access a machine.
Building a slide deck, pitch, or presentation? Here are the big takeaways:
- German security researchers tricked the Windows Hello authentication system using a printed photo of the authorized user. —TechRepublic, 2017
- The attack works against multiple versions of the Windows 10 OS, but researchers are urging users to upgrade to the Fall Creators Update to stay protected. —TechRepublic, 2017
Windows Hello, the facial recognition system that allows users to log into their laptop by looking into the device's camera, can be fooled pretty easily. Using only a modified printed photo of the authorized user, German security researchers were able to trick a machine into letting them into the system.
The research supports the theory that certain biometric security mechanisms may not be as secure as once thought. This could slow the adoption of such technology, especially among business and professionals users, just as it was starting to gain more mainstream traction with the release of the iPhone X.
The findings of the research were detailed in a security advisory written by Matthias Deeg and Philipp Buchegger. According to the pair, the attack works on both the default Windows Hello configuration and Windows Hello with the "enhanced anti-spoofing" feature enabled. The latter requires a slightly different photo, but the authors described the additional work needed to create it as "negligible."
SEE: Security awareness and training policy (Tech Pro Research)
The vulnerability lies in Hello's reliance on near-infrared (IR) imaging. As noted on our sister site ZDNet, near-IR is used because it works well in low-light situations. However, by printing a modified photo (with a specific resolution or color scale) of the authenticated user, or by covering the RGB camera with tape, the researchers bypassed Hello through the near-IR enabled camera with ease.
In the advisory, the researchers noted that they were able to test the attack on both a Dell Latitude and a Surface Pro 4. They tested versions of Windows 10 Pro ranging from 1511 to 1709.
For Windows users, the fix starts by upgrading to the latest version of Windows 10. According to the test, newer versions like 1703 and 1709 aren't susceptible to the attack if they have the enhanced anti-spoofing engaged and are being used with the proper hardware, the advisory said.
However, upgrading to the latest version alone isn't enough. Users will then need to reconfigure Windows Hello Face Authentication afterwards, the researchers wrote. If a user were to update from an older version like 1607 without reconfiguring Hello, then they will still be vulnerable to the attack.
According to the advisory, the researchers notified Microsoft of the vulnerability on October 20.
- 20 pro tips to make Windows 10 work the way you want (free PDF) (TechRepublic)
- Windows 10 face unlock can be tricked using printed headshot (ZDNet)
- Windows 10 Creators Update: The smart person's guide (TechRepublic)
- Windows Hello: This bank wants you to log into your account with your face or fingerprint (ZDNet)
- 4 Windows Hello devices that will change the way you log into your PC (TechRepublic)