Skip to main content
  1. Home
  2. Computing

Researchers disclose vulnerability in Windows Hello facial recognition

Arif Bacchus
By

Researchers at the security firm CyberArk Labs have discovered a vulnerability in Microsoft’s Windows Hello facial recognition system in Windows 10 and Windows 11. Calling it a “design flaw,” the researchers say that hackers can get around Windows Hello by using a certain type of hardware to eventually gain access to your PC.

Though it isn’t exactly something that is easily accomplished (and Microsoft says it has mitigated the vulnerability), there’s a very specific set of conditions that can lead to the bypassing. In all cases, hackers would need to capture an IR image of the victim’s face, have physical access to the victim’s PC, and also use a custom USB device that can impersonate a camera. CyberArk Labs describe the six-part process on its website, with a video showing the proof-of-concept.

A six step diagram showing the vulnerability in Windows Hello.

Per the firm, this is all possible because Windows Hello will only process IR camera frames when trying to authenticate a user. “One would need to implement a USB camera that supports RGB and IR cameras. This USB device then only needs to send genuine IR frames of the victim to bypass the login phase, while the RGB frames can contain anything,” said CyberArk’s Omer Tsarfati.

Related

There currently is no evidence that this vulnerability has been actively used, but CyberArk Labs warns that someone with the right skills can use this to target journalists and others with sensitive content on their devices. It is also important to note that the research was done on Windows Hello for Business and not the consumer version of Windows Hello. There is still, though, the chance that this vulnerability could apply to other security systems where a third-party USB camera is used as a biometric sensor.

CyberArk labs submitted this vulnerability to Microsoft back on March 23, 2021. Microsoft acknowledged this issue a day later. Microsoft has since assigned a CVE for the issue, sharing mitigation via a security update on July 13.

According to Microsoft, this patch mitigated the issue and Windows Hello Enhanced Sign-in Security can protect against such attacks. CyberArk, though, points out that the mitigation depends on having devices with specific cameras, and the “inherent to system design, implicit trust of input from peripheral devices remains.” An investigation is still ongoing.

Editors' Recommendations

Topics
Samsung Galaxy Book 3 Ultra vs. MacBook Pro 16-inch
Someone typing on the Samsung Galaxy Book 3 Ultra.
We now know how Apple’s VR headset may handle video, and it’s pretty awesome
A rendering of an Apple mixed-reality headset (Reality Pro) in a gray color seen from the front.
Apple Reality Pro: everything we know about Apple’s VR headset
Apple VR Headset Concept by Antonio De Rosa
Samsung’s 43-inch mini-LED monitor looks stellar — if your desk can handle it
Samsung's Odyssey Neo G7 on a desk.
The Galaxy Book 3 Ultra is Samsung’s most powerful laptop ever
Samsung Galaxy Book3 Ultra laptop.
Nvidia may have another monster GPU in the works, and the price could be outrageous
GeForce RTX logo is shown on the side of a graphics card.
AMD’s Ryzen 9 7950X3D pricing keeps the pressure on Intel
A hand holding AMD's Ryzen 9 7950X3D processor.
What is ChatGPT Plus? Everything we know about the premium tier
Close up of ChatGPT and OpenAI logo.
ChatGPT Plus to bring priority access during peak times — at a hefty price
ChatGPT and OpenAI logos.
Usually $3,879, this Lenovo laptop is down to $1,479 today
Opened Lenovo ThinkPad X1 Extreme Gen 4 sitting on the ground.
Get this Asus gaming laptop with an RTX 3060 while it’s $400 off
A side view of an Asus ROG Zephyrus gaming laptop on a white background.
All of Samsung’s videos from today’s Galaxy Unpacked event
Samsung's Galaxy S23 Ultra phone.
Best 2-in-1 laptop deals: Save on Dell, Lenovo, HP and more
A woman uses the trackpad of the HP 14-inch 2-in-1 touch laptop.