Hackers find a flaw in Microsoft’s Hello facial-recognition system and trick system into unlocking when it shouldn't

Published July 19th, 2021 by Bayon Technologies Group

Biometric authentication is a key factor of the tech industry’s plan to eliminate log-in passwords. Services like Apple’s FaceID recognition have made this feature widely recognized, followed by Microsoft’s Hello which has had quite an improvement over the last few years. Apple allows you to use FaceID with cameras embedded in iPhones and iPads however is not yet compatible with all Macs. Now since Microsoft is so diverse and works with a large selection of third-party webcams it does get the upper hand on this subject.

Ultimately, hackers always find a way to uncover flaws and vulnerabilities in every system and this feature is no exception. Windows Hello facial recognition works only with webcams that use infrared sensors in addition to the standard RGB sensors. However, the system seems to overlook RGB data…. What does this mean you might ask? Well, this means that with one straight-on infrared image of the individual’s face and one black frame, it tricks the system into believing the person is actually there and bypasses Windows Hello security feature unlocking the protected device.

Microsoft commented on this flaw and called it a “ Window Hello security feature bypass vulnerability” and immediately released a patch for it to address this issue. In addition, the giant in technology suggests that users should be using the “Windows hello enhanced sign in security feature” which utilizes Microsoft's “virtualization-based-security” to encrypt Windows Hello face data and processes into the memory where it cannot be tampered with.

In reality, there is a deeper issue here, as previously mentioned, Windows Hello feature works with several third-party companies, therefore, it is extremely hard to create that Camara and system trust connection. On the other hand, Apple FaceID only works with the company’s proprietary TrueDepth camera, an infrared camera combined with several other sensors. This provides total control over both hardware and software creating a safer ecosystem, something that Windows cannot really do.

Marc Rogers a long time biometric-sensor security researcher and vice president of cybersecurity at the digital identity management company Okta, states that he is very surprised that Microsoft did not anticipate the possibility of attacks done to third-party cameras and that “really Microsoft should know better” “This attack pathway, in general, is one that we have known for a very long time. I’m a bit disappointed that they aren’t more strict about what cameras they will trust”

‹ Back