Skip to main content
  1. Home
  2. Computing
  3. News

Older Windows 10 devices susceptible to Windows Hello face spoofing

Add as a preferred source on Google

Two researchers recently discovered that anyone can bypass Windows Hello’s facial recognition in older versions of Windows 10. At the root of the issue are infrared cameras that don’t support Enhanced Anti-Spoofing, which essentially helps prevent anyone from walking up to your PC and using a printed photo to gain unauthorized access.

According to the researchers, devices upgrading from Windows 10 versions 1511 and 1607 using hardware that doesn’t support Enhanced Anti-Spoofing are vulnerable to their photo-based approach. This method relies on a head-on shot of the device owner in a near-infrared state. They also manually changed the brightness and contrast levels to meet the requirements of Windows Hello, and printed the image using a laser printer.

Recommended Videos

Typically, Enhanced Anti-Spoofing isn’t toggled on by default. On Windows 10 Pro and Enterprise, you can load up the Local Group Policy Editor and enable the feature by navigating to Administrative Templates > Windows Components > Biometrics > Facial Features. In Windows 10 Home, you can turn it on by editing the registry. But regardless of the Windows version, the camera must still provide support on a hardware level.

The proof-of-concept hack relies on the Dell Latitude E7470 with a LilBit USB camera. When testing with Windows 10 versions 1709, 1703, 1607, and 1511, the researchers were even able to break into the laptop with Enhanced Anti-Spoofing turned on.

Meanwhile, Microsoft’s Surface Pro 4 supports Enhanced Anti-Spoofing on a hardware level. With the feature enabled, the researchers couldn’t get into Windows 10 versions 1709 and 1703, but they did access the device on Windows 10 version 1607.

“In the spring of 2018 we will publish further results and details of our research project, for example on different variations of the attack,” Syss reports. “For example, our proof-of-concept video ‘Biometrics: Windows Hello Face Authentication Bypass PoC II’ shows two variants of the spoofing attack using different means.”

The takeaway from this discovery is that if your device doesn’t support Enhanced Anti-Spoofing on a hardware level, then it’s susceptible to photo-based access on all versions of Windows 10. If the device does support Enhanced Anti-Spoofing, then you should upgrade the platform to 1703 at the very least (1709 is the latest).

Of course, the second takeaway is that to gain access, you need a compatible, hard-to-acquire photo of the device owner. The proof of concept, as shown in the video above, relies on someone enabling facial recognition on the Surface Pro 4, and then converting what appears to be the same image to a near-IR form on a second PC. Using that second PC, he printed out the image at a 340 × 340 resolution, and successfully unlocked the Surface Pro 4.

Windows 10 device owners may want to remain somewhat wary about facial recognition for now. Even Apple’s Face ID technology on the recent iPhone X isn’t exactly perfect, and can even succumb to children who closely resemble iPhone X owners. That said, fingerprint scanners still appear to be the best option for gaining access to Windows 10 without the need for a password or PIN.

Kevin Parrish
Kevin started taking PCs apart in the 90s when Quake was on the way and his PC lacked the required components. Since then…
Claude’s Sonnet 5 is built to do more on its own and cost you less
Better than its predecessor, nearly as good as the flagship, and meaningfully cheaper than both.
Art, Floral Design, Graphics

Every major AI lab is racing to prove its models can work autonomously with minimal hand-holding; we’re now seeing pricing emerge as the next battleground. 

Anthropic just fired its latest shot, Claude Sonnet 5, a model the company says performs nearly as well as its flagship Opus 4.8 at a fraction of the cost.

Read more
Apple Creator Studio adds AI tools across Final Cut Pro, Logic Pro and Pixelmator Pro
Final Cut Pro gets AI captions, Auto Mask and better Pixelmator Pro workflows in Creator Studio update
Computer Hardware, Electronics, Hardware

Apple has introduced a major update to Apple Creator Studio, adding new AI features, deeper Pixelmator Pro integration, and workflow upgrades across Final Cut Pro, Logic Pro, Keynote, Pages, Numbers, Motion, Compressor, Freeform, and Final Cut Camera.

The update makes Creator Studio more useful across Mac, iPad, and iPhone, especially for people who move between video editing, image editing, presentations, documents, spreadsheets, and music production.

Read more
AI browsers like Perplexity Comet can be tricked into spilling your password through BioShocking exploit
Six AI browsers were found leaking saved passwords and many of them haven't fixed it yet.
MacBook Air in hand, Comet browser loaded—let’s see what Perplexity’s AI can really do

Security researchers just found a strange way to trick AI browsers into handing over your passwords. They managed to trick AI browser agents into exposing sensitive data like saved passwords, session cookies, and private tokens by disguising the theft as part of a harmless "game."

The technique is called BioShocking, named after the popular video game BioShock, where a brainwashed character is manipulated into believing a false reality. Once an AI browser falls for the same trick, it stops following its own safety rules entirely.

Read more