Windows 10 Hello Facial Recognition System Compromises: What You Need To Know

The Windows 10 Hello Facial recognition system has flaws that can compromise your security. A photograph can be used as a spoofing tool to unlock your device and access your data. This flaw was announced by German pentest outfit Syss at Full Disclosure.

The Windows Hello 10 system was created to allow users to protect their devices without using a password. It allows you to use either facial recognition or a fingerprint to access your device. Based on Microsoft Data, up to 85% of Windows 10 users make use of the Windows Hello feature. 

However, a cyber attacker can use your printed photograph to bypass the facial recognition system and gain access to your Windows 10 device. According to Syss, both the default configuration and the “enhanced anti-spoofing” feature are compromised and can be hacked. Syss said, “If ‘enhanced anti-spoofing’ is enabled, depending on the targeted Windows 10 version, a slightly different modified photo with other attributes has to be used…”

The vulnerability of the Windows 10 Hello Facial ID system can allow a cyberattacker to gain access to your device and banking information. On the Chrome browser, the Windows Hello option was added to the payment option. When a card is saved on the device, you can use facial recognition or a fingerprint scanner to complete the transaction. If cyber criminals gain access to your device through facial spoofing, they can also make banking transactions through the same method. 

Discovery

Researchers at CyberArk Labs discovered the flaw in the system in early March and tracked it as CVE-2021-34466. According to them, cyberattackers need to have the target device physically before such an attack can be unleashed. 

Omer Tsarfati, a researcher from Cyber Arks stated that once the attacker has the device physically, they can “manipulate the authentication process by capturing or recreating a photo of the target’s face and subsequently plugging in a custom-made USB device to inject the spoofed images to the authenticating host.”

Who Can Be Attacked?

Both businesses and individuals can be attacked, by anyone who has access to the physical device. Local users or businesses may have already experienced a cyberattack through facial recognition spoofing. It has, however, not been recorded. 

Although researchers do not have concrete evidence of anyone being attacked through the Windows 10 Hello facial recognition compromise, anyone with a personal motive can launch an attack. 

How Cybercriminals Exploit the Vulnerability

The CyberArk researchers made a video on how the vulnerability of the Windows 10 Facial Recognition can be exploited on both the business and consumer versions. 

According to Tsarfati, the biometric sensor allows the OS to make the authentication decision.

The biometric sensor is either through the camera in the computer or a USB. The system authentication is determined by the information coming from the camera, and this makes it vulnerable. There are different USB cameras, and some can put the device at a security risk.

The camera will send the picture received to the OS. Once the picture frame matches the one in the system, the device will be unlocked. Since there is no way of determining if it was a live picture frame due to different USB cameras, a simple frontal photograph can unlock the device. 

If Windows Hello didn’t allow external cameras, the risk would be reduced. Tsarfati stated that at the heart of the vulnerability lay the fact that Windows Hello allows external data sources, which can be manipulated, as a root of trust.

The vulnerability can allow an attacker to steal a Windows Hello user’s credentials via a malicious USB camera device that contains their facial biometric and a spoofed IR frame generated by the facial recognition algorithm. Once the camera is compromised, it becomes easy for a cyberattacker to unlock the device. 

Mitigating Attacks

 In July, Microsoft addressed the system compromise in its Patch Tuesday update. According to Microsoft, there is a new security feature called Windows Hello Enhanced Sign-in Security. It uses drivers, pre-installed hardware, and firmware to protect against attacks that can tamper with the biometrics pipeline. 

Nonetheless, Tsarfati, a researcher from CyberArk, believes the solution will still not fully solve the issue. According to him, using the Windows Hello Enhanced Sign-in Security can limit the attack, but it still depends on the specific cameras of users. He said, “inherent to system design, implicit trust of input from peripheral devices remains. To mitigate this inherent trust issue more comprehensively, the host should validate the integrity of the biometric authentication device before trusting it.”

Conclusion

The Windows 10 Hello Recognition System was created to make it easier and safer to secure your device. However, research shows that a printed picture, with a compromised USB camera, can be used to access the device. Although Microsoft tries to mitigate the issue, it hasn’t been completely resolved. Sticking to traditional passwords and pins and adding other possible security measures can help you protect your device during these times.