Smartphones use biometric authentication such as fingerprints and face ways before becoming more popular on laptops and desktops. Microsoft’s Windows Hello framework, which aims to provide the same convenience and security for its desktop platform, seems to be working well enough. However, new security research has revealed a fatal flaw to Windows Hello’s face recognition system that could bypass authentication via a custom-made USB device. Unfortunately, it’s not as easy as it sounds to exploit this flaw in real life.
CyberArk security researchers found that it was easy to fool Windows Hello or its facial recognition system. Windows Hello requires that a computer has both RGB and IR sensors to perform face recognition. However, it turns out that only the data from the IR sensor is critical for bypassing Windows’ security.
Researchers created a USB device using an NXP evaluation board. It was described as a USB camera that had RGB and IR sensors. The device sent pre-made frames, including some IR frames from the owner and some RGB frames from Spongebob. The researchers found that Windows Hello only required one IR frame and one plain black RGB frame.
CyberArk says the vulnerability is because Windows Hello allows external devices such as smartphones and tablets to be used as data sources to verify biometric authentication. It is forced to do this because not all Windows computers have fingerprint sensors or cameras built-in. However, research shows that it is the weakest link in a system of security that should be foolproof.
It’s not a nightmare waiting to happen. An attacker will need to obtain IR images of their target’s face to exploit this vulnerability. This is not an easy task. In addition, they would need to have physical access to the computer or laptop. However, it is possible to gain access through other means.