Windows 10 facial recognition feature exist vulnerablity that can use a photo to unlock the computer

Earlier this month, Microsoft released an update to fix a vulnerability in Windows Hello facial recognition system Windows Hello that allows attackers to use printed photos to bypass facial scanning.

Windows Hello is a biometric authorization method that allows users to unlock Windows 10 devices (desktops, laptops, or tablets with NIR sensors) via face scan. Microsoft said Windows Hello mainly uses near-infrared (IR) imaging technology, which is more convenient and more secure than the traditional method of unlocking a device by entering a passcode.

The vulnerabilities were discovered by two cybersecurity experts at SYSS, Germany, Matthias Deeg and Philipp Buchegger, and applied to multiple versions of Windows 10.

Security experts say only a few key elements need to be in place to successfully exploit the vulnerability:

• Photos must be frontal;
• The photo must be taken by a near-infrared camera;
• The brightness and contrast of photos need to be easily modified;
• Photographs must be printed by a laser printer.

In general, Windows Hello runs in two different configurations: one is the default configuration, the “enhanced anti-spoofing” feature is not enabled and the other is more secure, meaning that this feature is enabled.

The vulnerabilities primarily affected older versions of Windows 10, such as 1511 and 1607. The tests confirmed that using a low-resolution (340×340 pixels) photo of the owner of the device owner is sufficient to unlock multiple Windows 10 devices that have the Windows Hello feature enabled.

Even if these devices have the “Anti-spoofing” feature enabled, the attack is still valid. The only additional condition is the need to provide a higher resolution (480×480 pixels) photo. In fact, this is still very low-resolution photos, to get to this photo is very easy.

Below is the third proof-of-concept video

In addition, this does not mean that newer versions of Windows 10 are completely spared. Security experts say even 1703, and even the latest 1709, are still affected by the vulnerability without the “enhanced anti-spoofing” feature.

According to security experts test results, the newer Windows 10 versions 1703 and 1709 are less susceptible to the attacks described above, with the enhanced anti-spoofing feature enabled.

As a result, SySS recommends that Windows 10 users who have activated the Windows Hello feature need to update their system version to version 1709 or the latest release in the future, enable the Enhanced Anti-spoofing feature, and then reconfigure Windows Hello.

SySS stressed that the reconfiguration of Windows Hello is the last step. It has been tested that if the operating system is only updated from a vulnerable version such as 1511 or 1607 to the latest 1709 without reconfiguring Windows Hello, the attack described above is still valid.

Reference: bleepingcomputer