Skip to main content
  1. Home
  2. Computing
  3. News

Researchers disclose vulnerability in Windows Hello facial recognition

By
Add as a preferred source on Google

Researchers at the security firm CyberArk Labs have discovered a vulnerability in Microsoft’s Windows Hello facial recognition system in Windows 10 and Windows 11. Calling it a “design flaw,” the researchers say that hackers can get around Windows Hello by using a certain type of hardware to eventually gain access to your PC.

Though it isn’t exactly something that is easily accomplished (and Microsoft says it has mitigated the vulnerability), there’s a very specific set of conditions that can lead to the bypassing. In all cases, hackers would need to capture an IR image of the victim’s face, have physical access to the victim’s PC, and also use a custom USB device that can impersonate a camera. CyberArk Labs describe the six-part process on its website, with a video showing the proof-of-concept.

A six step diagram showing the vulnerability in Windows Hello.
Image used with permission by copyright holder

Per the firm, this is all possible because Windows Hello will only process IR camera frames when trying to authenticate a user. “One would need to implement a USB camera that supports RGB and IR cameras. This USB device then only needs to send genuine IR frames of the victim to bypass the login phase, while the RGB frames can contain anything,” said CyberArk’s Omer Tsarfati.

Recommended Videos

There currently is no evidence that this vulnerability has been actively used, but CyberArk Labs warns that someone with the right skills can use this to target journalists and others with sensitive content on their devices. It is also important to note that the research was done on Windows Hello for Business and not the consumer version of Windows Hello. There is still, though, the chance that this vulnerability could apply to other security systems where a third-party USB camera is used as a biometric sensor.

CyberArk labs submitted this vulnerability to Microsoft back on March 23, 2021. Microsoft acknowledged this issue a day later. Microsoft has since assigned a CVE for the issue, sharing mitigation via a security update on July 13.

According to Microsoft, this patch mitigated the issue and Windows Hello Enhanced Sign-in Security can protect against such attacks. CyberArk, though, points out that the mitigation depends on having devices with specific cameras, and the “inherent to system design, implicit trust of input from peripheral devices remains.” An investigation is still ongoing.

Arif Bacchus
Arif Bacchus
Former Computing Writer
Arif Bacchus is a native New Yorker and a fan of all things technology. Arif works as a freelance writer at Digital Trends…
Topics
AI browsers like Perplexity Comet can be tricked into spilling your password through BioShocking exploit
Six AI browsers were found leaking saved passwords and many of them haven't fixed it yet.
MacBook Air in hand, Comet browser loaded—let’s see what Perplexity’s AI can really do

Security researchers just found a strange way to trick AI browsers into handing over your passwords. They managed to trick AI browser agents into exposing sensitive data like saved passwords, session cookies, and private tokens by disguising the theft as part of a harmless "game."

The technique is called BioShocking, named after the popular video game BioShock, where a brainwashed character is manipulated into believing a false reality. Once an AI browser falls for the same trick, it stops following its own safety rules entirely.

Read more
Google Play’s latest speed boost goes way beyond the phone
Play Store v52.1 targets app install performance across Android devices, including cars, TVs, watches, tablets, and phones.
Google Play Store Photo

Google is rolling out Play Store v52.1 with changes built around a practical Android problem, getting apps installed more smoothly on very different kinds of hardware.

The update focuses on Play Store infrastructure, with Google pointing to stability, performance, and better memory use while a device adds an app. That install path now has to work on phones, tablets, Wear OS watches, Google TV, Android TV, Android Auto, and cars running Android Automotive.

Read more
Peacock Premium Plus joins YouTube as the streaming bundle battle gets messier
The $16.99 subscription brings Peacock’s sports-heavy catalog into YouTube, with account details still unclear.
Adult, Female, Person

Peacock Premium Plus is now available through YouTube Primetime Channels, giving viewers a new way to add a major streaming service inside YouTube.

The $16.99-per-month subscription brings Peacock’s live sports, NBC and Bravo shows, originals, Universal movies, Telemundo programming, and Spanish-language FIFA World Cup 2026 coverage into YouTube’s channel marketplace.

Read more