This article is more than 1 year old

Windows 10 Hello face recognition can be fooled with photos

After you update, set it up again from scratch

If you've skipped recent Windows 10 Creators Updates, here's a reason to change your mind: its facial recognition security feature, Hello, can be spoofed with a photograph.

The vulnerability was announced by German pentest outfit Syss at Full Disclosure.

Even if you've installed the fixed versions that shipped in October – builds 1703 or 1709 – facial recognition has to be set up from scratch to make it resistant to the attack.

The “simple spoofing attacks” described in the post are all variations on using a “modified printed photo of an authorised user” (a frontal photo, naturally) so an attacker can log into a locked Windows 10 system.

On vulnerable versions, both the default config, and Windows Hello with its “enhanced anti-spoofing” feature enabled, Syss claimed.

“If 'enhanced anti-spoofing' is enabled, depending on the targeted Windows 10 version, a slightly different modified photo with other attributes has to be used, but the additional effort for an attacker is negligible.”

The researchers tested their attack against a Dell Latitude running Windows 10 Pro, build 1703; and a Microsoft Surface Pro running 4 build 1607.

They tried to change the Surface Pro's config to “enhanced anti-spoofing”, but claimed its “LilBit USB IR camera only supported the default configuration and could not be used with the more secure face recognition settings.”

The researchers published three proof-of-concept videos, below. ®

Youtube Video

Youtube Video

Youtube Video

More about

TIP US OFF

Send us news


Other stories you might like