Israeli cybersecurity firm CyberArk has found a serious problem with Windows Hello facial recognition system. CyberArk says that they were able to circumvent the Windows security system by using a picture of the person in question and a USB connected device.
Back in the 1980s all of these security checks that we now take for granted were the thing of sci-fi. In Start Trek II: The Wrath of Kahn, we got to see Captain Kirk authenticate his security clearance with a really fancy retina scan system. Similarly, many James Bond type movies showed security systems which required an ID card in addition to both visual and voice recognition.
Now just think about all of those Mission Impossible movies. Tom Cruise could easily beat any facial recognition system with one of those masks. Scarlett Johansson uses a similar tech in the Marvel movies.
Well such tech is not a reality, at least not yet.
Microsoft promises that Windows Hello is a more “personal, more secure way” to get instant access to your Windows 10 devices using a PIN, facial recognition, or fingerprint. The main feature of Windows Hello is biometric authentication.
CyberArk says that they surmised that the biometric sensor was the weak link in the chain by potentially exposing the system to data manipulation attacks on the target’s device. “The sensor is a device that transmits information on which the OS,” explains CyberArk, “in particular Windows Hello, makes its authentication decision. Therefore, manipulating this information can lead to a potential bypass to the whole authentication system.”
The problem here, as CyberArk explains, is that the camera which people use to present their faces for recognition can be an external device connected to a computer by way of a USB port. As such, the Windows system can be fooled into thinking that the image seen is live and not a photograph. Once this stage is bypassed, the system has been hacked.
“Our findings show that any USB device [such as a webcam] can be cloned, and any USB device can impersonate any other USB device.”
— CyberArk (@CyberArk) July 15, 2021
CyberArk summed up its research saying, “We have seen that an attacker can create a custom-made USB device that Windows Hello will work with. The attacker controls the data that comes from this device. With only one valid IR frame of the target, the adversary can bypass the facial recognition mechanism of Windows Hello, resulting in a complete authentication bypass and potential access to all the victim’s sensitive assets.”