We select and review products independently. When you purchase through our links we may earn a commission. Learn more.

Researchers Managed to Bypass Windows Hello with One Piece of Hardware

Windows Hello with a sad face.

Security researchers at CyberArk managed to bypass Windows Hello facial recognition using a fake webcam that pumps IR data into a PC. The process behind this exploit is relatively simple, though it isn’t a serious concern for the average person, as it requires James Bond-like tactics to pull off.

Windows Hello verifies users using an IR snapshot to see a 3D map of their face, which is why you can’t fool the authentication system with a printed photo. But you can still feed the Windows Hello authentication system “valid” images from a USB device, so long as it pretends to be a camera with IR and RGB sensors.

The CyberArk team found that Windows Hello requires a single IR and RGB image to verify a user. So, they loaded their USB device with a valid IR reading of a Windows user’s face, plus an RGB image of Spongebob. The USB device, plugged into a locked PC, successfully broke through Windows Hello.

Evidently, Windows Hello does not verify that IR images are from a live feed, and it does not check the contents of whatever RGB image it’s handed (CyberArk says that RGB requirement probably exists to prevent spoofing). A more thorough system would probably slow the Windows Hello sign-in process, which may defeat the purpose for some users.

The team at CyberArk says that hackers have probably never used this exploit, which makes sense. In order to pull this off, a hacker needs physical access to a PC that’s running Windows Hello, plus a near-IR image of its user. So on top of stealing a laptop or sneaking into a building, the hacker would need to take IR photos of you at a relatively short distance.

None of this is impossible, and it may be relatively easy if you’re a hacker with a serious work ethic, an agent on government payroll, or a disgruntled employee trying to screw over your employer. But there are still a lot of small hurdles here. Offices that are serious about security tend to hide desktop USB ports behind cages to prevent in-person attacks, for example, and you may have trouble accessing sensitive on a secured computer or network even if you bypass a lock screen.

Microsoft has identified this exploit and says a patch was released on July 13th (though it may take a while for businesses to actually install the patch). The company also points out that businesses using Windows Hello Enhanced Sign-in Security are protected against any hardware that isn’t pre-approved by their system admins—of course, if the hardware devices used by a business are insecure, Enhanced Sign-in Security could be compromised.

CyberArk says that it will present all of its Windows Hello findings at Black Hat 2021, which runs August 4th and 5th.

Source: CyberArk via Windows Central

Andrew Heinzman Andrew Heinzman
Andrew is the News Editor for Review Geek, where he covers breaking stories and manages the news team. He joined Life Savvy Media as a freelance writer in 2018 and has experience in a number of topics, including mobile hardware, audio, and IoT. Read Full Bio »