While Microsoft allowed consumers to update their PCs running Windows 7/8/10 to Windows 10 Creators Updates, the more reason to upgrade to the latest software is the recent Windows hello facial recognition security spoofing exploit using a photograph.

The facial recognition system, Windows Hello is a scanning security feature in Windows 10, which serves as a new authentication method to secure users from hackers trying to access their PCs.

But, recently the German pentest outfit Syss, published a breach in which they where able to fool Windows Hello on Windows 10 machines running older versions of the operating system, including multiple versions of Windows 10 on a number of different hardware.

The exploit involves a “modified printed photo of an authorised user” (a frontal photo, naturally), to allow an attacker to log into a locked Windows 10 system.

The security researchers ran the test on a Dell Latitude running Windows 10 Pro, build 1703; and a Microsoft Surface Pro running build 1607. While the vulnerability was present in both the default configurations, and with Windows Hello “enhanced anti-spoofing” feature enabled.

According to the researcher proof-of-concept video, they changed the Surface Pro's configuration to “enhanced anti-spoofing”, but claimed its “LilBit USB IR camera only supported the default configuration,” as it could not be used with the more secure face recognition settings.

Albeit, the attack requires a printed picture of the authenticated user using an infrared camera, which makes it a pretty hard task to accomplish.

Even the application of the latest Windows 10 Fall Creators Update, that fixes the exploit may not be enough to block the attack if anti-spoofing is enabled. It is recommended that users after installation of the fixed versions that shipped in October (builds 1703 or 1709), that facial recognition should be set up from scratch to make it resistant to the attack.

How Windows 10 Hello Facial Recognition was bypassed by spoofing



While Microsoft allowed consumers to update their PCs running Windows 7/8/10 to Windows 10 Creators Updates, the more reason to upgrade to the latest software is the recent Windows hello facial recognition security spoofing exploit using a photograph.

The facial recognition system, Windows Hello is a scanning security feature in Windows 10, which serves as a new authentication method to secure users from hackers trying to access their PCs.

But, recently the German pentest outfit Syss, published a breach in which they where able to fool Windows Hello on Windows 10 machines running older versions of the operating system, including multiple versions of Windows 10 on a number of different hardware.

The exploit involves a “modified printed photo of an authorised user” (a frontal photo, naturally), to allow an attacker to log into a locked Windows 10 system.

The security researchers ran the test on a Dell Latitude running Windows 10 Pro, build 1703; and a Microsoft Surface Pro running build 1607. While the vulnerability was present in both the default configurations, and with Windows Hello “enhanced anti-spoofing” feature enabled.

According to the researcher proof-of-concept video, they changed the Surface Pro's configuration to “enhanced anti-spoofing”, but claimed its “LilBit USB IR camera only supported the default configuration,” as it could not be used with the more secure face recognition settings.

Albeit, the attack requires a printed picture of the authenticated user using an infrared camera, which makes it a pretty hard task to accomplish.

Even the application of the latest Windows 10 Fall Creators Update, that fixes the exploit may not be enough to block the attack if anti-spoofing is enabled. It is recommended that users after installation of the fixed versions that shipped in October (builds 1703 or 1709), that facial recognition should be set up from scratch to make it resistant to the attack.

1 comment:

  1. If you're wondering what Windows hello does, it's a biometrics-based technology that enables Windows 10 users to authenticate secure access to their devices, apps, online services and networks with just a fingerprint, iris scan or facial recognition.

    ReplyDelete