Researchers trick Windows Hello authentication with infrared snapshot

The Microsoft Windows Hello authentication system is compatible with webcams from different manufacturers, making it as easy to use as possible. However, this versatility can make the technology less secure against attackers. Experts from the CyberArk company were convinced of this, who managed to deceive Windows Hello using a face image of the computer owner.

Windows Hello is compatible with a variety of webcams that have an RGB or infrared sensor. During the research, it was found that during the authentication process, the system only processes infrared frames. To test this hypothesis, the researchers made a special USB device into which they loaded infrared photographs of the laptop owner and RGB images of the cartoon character SpongeBob. Once connected, Windows Hello detected the device as a USB camera and the computer was successfully unlocked using an infrared photo.

It is worth noting that it will be extremely difficult to hack someone’s computer using this technique, since this requires obtaining an infrared photograph of the owner of the device. However, this is still a Windows Hello security flaw that could theoretically be exploited by attackers. Microsoft has already released a fix for what the company calls the “Hello security feature bypass vulnerability.” Microsoft also offers Windows Hello Enhanced Sign-in Security, which encrypts the user’s face and stores it in a separate secure area.

If you have found a spelling error, please, notify us by selecting that text and pressing Ctrl+Enter.

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Alexandr Ivanov earned his Licentiate Engineer in Systems and Computer Engineering from the Free International University of Moldova. Since 2013, Alexandr has been working as a freelance web programmer.
Function: Web Developer and Editor
Alexandr Ivanov

Spelling error report

The following text will be sent to our editors: