Skip to main content

Researchers disclose vulnerability in Windows Hello facial recognition

Researchers at the security firm CyberArk Labs have discovered a vulnerability in Microsoft’s Windows Hello facial recognition system in Windows 10 and Windows 11. Calling it a “design flaw,” the researchers say that hackers can get around Windows Hello by using a certain type of hardware to eventually gain access to your PC.

Though it isn’t exactly something that is easily accomplished (and Microsoft says it has mitigated the vulnerability), there’s a very specific set of conditions that can lead to the bypassing. In all cases, hackers would need to capture an IR image of the victim’s face, have physical access to the victim’s PC, and also use a custom USB device that can impersonate a camera. CyberArk Labs describe the six-part process on its website, with a video showing the proof-of-concept.

A six step diagram showing the vulnerability in Windows Hello.
Image used with permission by copyright holder

Per the firm, this is all possible because Windows Hello will only process IR camera frames when trying to authenticate a user. “One would need to implement a USB camera that supports RGB and IR cameras. This USB device then only needs to send genuine IR frames of the victim to bypass the login phase, while the RGB frames can contain anything,” said CyberArk’s Omer Tsarfati.

There currently is no evidence that this vulnerability has been actively used, but CyberArk Labs warns that someone with the right skills can use this to target journalists and others with sensitive content on their devices. It is also important to note that the research was done on Windows Hello for Business and not the consumer version of Windows Hello. There is still, though, the chance that this vulnerability could apply to other security systems where a third-party USB camera is used as a biometric sensor.

CyberArk labs submitted this vulnerability to Microsoft back on March 23, 2021. Microsoft acknowledged this issue a day later. Microsoft has since assigned a CVE for the issue, sharing mitigation via a security update on July 13.

According to Microsoft, this patch mitigated the issue and Windows Hello Enhanced Sign-in Security can protect against such attacks. CyberArk, though, points out that the mitigation depends on having devices with specific cameras, and the “inherent to system design, implicit trust of input from peripheral devices remains.” An investigation is still ongoing.

Arif Bacchus
Arif Bacchus is a native New Yorker and a fan of all things technology. Arif works as a freelance writer at Digital Trends…
This new Windows 11 setting could improve performance and battery life
Windows 11 updates are moving to once a year.

Yesterday, Microsoft released the Windows 11 26252 build, which brings a flood of innovations that will give users a much-needed power boost. One of those changes is a new power setting that will provide the user more control when their PC is on battery power or not, as Phantom Ocean 3 mentions in a post on X (formerly Twitter), which was noticed by Windows Latest.

In theory, this greater degree of control will allow your system to automate power settings so that you don't forget to manually switch them while plugged in or on battery.

Read more
Best Prime Day laptop deals in 2024: Surface Pro, Razer, HP, Dell
Best Prime Day Deals

We can smell Prime Day in the air. The shopping holiday kicks off on July 16 and runs through July 17. However, the discounts are already starting to sprout up, so we've collected some early Prime Day deals on laptops below. We've also broken down what to expect for the main event and how to approach buying a new laptop during Prime Day. This page will be ever-evolving (bookmark it!) as we know more, the event approaches, and more deals become available. Looking for something beyond laptops? Deals exist beyond laptops, of course, and we'll be covering all of the big categories and items you want in our main Prime Day deals coverage.

Today's best laptop deals
Prime Day officially runs from July 16 to July 17. If you want the most options in your deals, you should wait until then to buy a laptop. But, if you're struggling to keep that new laptop itch at bay, there are great laptop deals all year round. While we encourage you to wait until next month to get the widest selection, there's nothing wrong with taking advantage of a deal right now, so long as it suits you.

Read more
Best Prime Day MacBook deals in 2024: Air, M1, M2, M3
Best Prime Day Deals

If you've been eagerly anticipating Prime Day 2024, your wait is almost over. Day One officially kicks off on July 16. It will run for two days until July 17 with loads of great discounts and offers. If you're thinking about buying a MacBook from this year's Prime Day deals, you won't have to wait for long. In fact, there are some early Prime Day laptop deals available right now. Apple's laptops carry premium prices for several good reasons, so there's always a high demand for discounts. You'll get a lot of opportunities with the upcoming Prime Day MacBook deals, but since you'll be racing against other shoppers to score the best bargains, we recommend that you prepare yourself for the shopping event with the tips we've gathered below.
Today's best MacBook deals

Officially, Amazon Prime Day 2024 arrives on July 16 and July 17 with its MacBook deals, so you're going to have to exercise some patience for a week or so. However, if you need a new MacBook as soon as possible, you should know that there are offers that you can take advantage of right now. We've rounded our favorite picks below -- you should know that these prices may go lower on Prime Day, but it can't be helped if you must have your new MacBook immediately.

Read more