Security researchers at CyberArk managed to bypass Windows Hello facial recognition using a fake webcam that pumps IR data into a PC. The process behind this exploit is relatively simple, though it isn’t a serious concern for the average person, as it requires James Bond-like tactics to pull off.
Windows Hello verifies users using an IR snapshot to see a 3D map of their face, which is why you can’t fool the authentication system with a printed photo. But you can still feed the Windows Hello authentication system “valid” images from a USB device, so long as it pretends to be a camera with IR and RGB sensors.
The CyberArk team found that Windows Hello requires a single IR and RGB image to verify a user. So, they loaded their USB device with a valid IR reading of a Windows user’s face, plus an RGB image of Spongebob. The USB device, plugged into a locked PC, successfully broke through Windows Hello.
Evidently, Windows Hello does not verify that IR images are from a live feed, and it does not check the contents of whatever RGB image it’s handed (CyberArk says that RGB requirement probably exists to prevent spoofing). A more thorough system would probably slow the Windows Hello sign-in process, which may defeat the purpose for some users.
The team at CyberArk says that hackers have probably never used this exploit, which makes sense. In order to pull this off, a hacker needs physical access to a PC that’s running Windows Hello, plus a near-IR image of its user. So on top of stealing a laptop or sneaking into a building, the hacker would need to take IR photos of you at a relatively short distance.
None of this is impossible, and it may be relatively easy if you’re a hacker with a serious work ethic, an agent on government payroll, or a disgruntled employee trying to screw over your employer. But there are still a lot of small hurdles here. Offices that are serious about security tend to hide desktop USB ports behind cages to prevent in-person attacks, for example, and you may have trouble accessing sensitive on a secured computer or network even if you bypass a lock screen.
Microsoft has identified this exploit and says a patch was released on July 13th (though it may take a while for businesses to actually install the patch). The company also points out that businesses using Windows Hello Enhanced Sign-in Security are protected against any hardware that isn’t pre-approved by their system admins—of course, if the hardware devices used by a business are insecure, Enhanced Sign-in Security could be compromised.
CyberArk says that it will present all of its Windows Hello findings at Black Hat 2021, which runs August 4th and 5th.