The Microsoft Windows Hello authentication system is compatible with webcams from different manufacturers, making it as easy to use as possible. However, this versatility can make the technology less secure against attackers. Experts from the CyberArk company were convinced of this, who managed to deceive Windows Hello using a face image of the computer owner.
Windows Hello is compatible with a variety of webcams that have an RGB or infrared sensor. During the research, it was found that during the authentication process, the system only processes infrared frames. To test this hypothesis, the researchers made a special USB device into which they loaded infrared photographs of the laptop owner and RGB images of the cartoon character SpongeBob. Once connected, Windows Hello detected the device as a USB camera and the computer was successfully unlocked using an infrared photo.
It is worth noting that it will be extremely difficult to hack someone’s computer using this technique, since this requires obtaining an infrared photograph of the owner of the device. However, this is still a Windows Hello security flaw that could theoretically be exploited by attackers. Microsoft has already released a fix for what the company calls the “Hello security feature bypass vulnerability.” Microsoft also offers Windows Hello Enhanced Sign-in Security, which encrypts the user’s face and stores it in a separate secure area.