Skip to main content
  1. Home
  2. Computing

Researchers disclose vulnerability in Windows Hello facial recognition

By

Researchers at the security firm CyberArk Labs have discovered a vulnerability in Microsoft’s Windows Hello facial recognition system in Windows 10 and Windows 11. Calling it a “design flaw,” the researchers say that hackers can get around Windows Hello by using a certain type of hardware to eventually gain access to your PC.

Though it isn’t exactly something that is easily accomplished (and Microsoft says it has mitigated the vulnerability), there’s a very specific set of conditions that can lead to the bypassing. In all cases, hackers would need to capture an IR image of the victim’s face, have physical access to the victim’s PC, and also use a custom USB device that can impersonate a camera. CyberArk Labs describe the six-part process on its website, with a video showing the proof-of-concept.

A six step diagram showing the vulnerability in Windows Hello.
Image used with permission by copyright holder

Per the firm, this is all possible because Windows Hello will only process IR camera frames when trying to authenticate a user. “One would need to implement a USB camera that supports RGB and IR cameras. This USB device then only needs to send genuine IR frames of the victim to bypass the login phase, while the RGB frames can contain anything,” said CyberArk’s Omer Tsarfati.

Recommended Videos

There currently is no evidence that this vulnerability has been actively used, but CyberArk Labs warns that someone with the right skills can use this to target journalists and others with sensitive content on their devices. It is also important to note that the research was done on Windows Hello for Business and not the consumer version of Windows Hello. There is still, though, the chance that this vulnerability could apply to other security systems where a third-party USB camera is used as a biometric sensor.

CyberArk labs submitted this vulnerability to Microsoft back on March 23, 2021. Microsoft acknowledged this issue a day later. Microsoft has since assigned a CVE for the issue, sharing mitigation via a security update on July 13.

According to Microsoft, this patch mitigated the issue and Windows Hello Enhanced Sign-in Security can protect against such attacks. CyberArk, though, points out that the mitigation depends on having devices with specific cameras, and the “inherent to system design, implicit trust of input from peripheral devices remains.” An investigation is still ongoing.

Editors' Recommendations

Topics
Arif Bacchus
Arif Bacchus
Former Digital Trends Contributor
Arif Bacchus is a native New Yorker and a fan of all things technology. Arif works as a freelance writer at Digital Trends…
The latest Windows update is breaking VPN connections
Windows Update running on a laptop.

Microsoft has acknowledged that the Windows security updates for April 2024 (KB5036893 for Windows 11, KB5036892 for Windows 10) are causing disruptions to virtual private network (VPN) connections across various client and server platforms. According to information on the Windows health dashboard, devices running Windows may experience VPN connection failures following the installation of either the April 2024 security update or the April 2024 non-security preview update.

The company has also stated that it is actively investigating user reports regarding these issues and will share more details in the coming days. The impacted Windows versions include Windows 11, Windows 10, and Windows Server 2008 onward.

Read more
Windows 11 might nag you about AI requirements soon
Copilot on a laptop on a desk.

After recent reports of new hardware requirements for the upcoming Windows 11 24H2 update, it is evident that Microsoft is gearing up to introduce a bunch of new AI features. A new report now suggests that the company is working on adding new code to the operating system to alert users if they fail to match the minimum requirements to run AI-based applications.

According to Albacore on X (formerly known as Twitter), systems that do not meet the requirements will display a warning message in the form of a watermark. After digging into the latest Windows 11 Insider Build 26200, he came across requirements coded in the operating system for an upcoming AI File Explorer feature. The minimum requirement includes an ARM64 processor, 16GB of memory, 225GB of total storage, and a Qualcomm Snapdragon X Elite NPU.

Read more
The next big Windows 11 update has a new hardware requirement
Windows 11 device sitting on a stool.

Microsoft’s upcoming Windows 11 24H2 update is expected to arrive with yet another hardware requirement. Centered around SSE4.2 or Streaming SIMD Extensions 4.2, a crucial component for modern processors, the new Windows 11 24H2 with build 26080 will only boot on CPUs that support the instruction set.

This information comes from Bob Pony on X (previously known as Twitter), following earlier reports in February where he claimed that CPUs lacking support for the POPCNT instruction were no longer compatible with Windows 11. The updated requirement is essentially the same, except that they now mandate the entire SSE 4.2 instruction set instead of just the POPCNT instruction within it, as was previously required.

Read more