The problem was discovered by researchers at SYSS who disclosed their findings on Full Disclosure. Microsoft is understood to have included a fix for the flaw in October’s Fall Creators Update. Older versions of the operating system are still at risk and may not be updated.
The technique involves printing out a specially modified photo of the target user’s face. A laser printer is used to create a low-resolution image from an IR camera. This is held in front of the Windows Hello sensor, which duly unlocks the device. An alternative technique involves obscuring the device’s RGB camera sensor and then revealing the image.
The exploit affects Windows 10 devices that include a near-infrared camera for advanced facial recognition. The researchers tested the trick against several products, including a Dell Latitude laptop with a USB webcam and Microsoft’s own Surface Pro 4. The Surface includes an “enhanced anti-spoofing” feature specifically designed to block Windows Hello bypasses. Enhanced anti-spoofing appears to be ineffective at stopping the exploit on older versions of Windows 10.
READ NEXT: Magic Leap unveils its augmented reality goggles
“The Microsoft Windows Hello face authentication using near infrared cameras in some Windows 10 versions is vulnerable to simple spoofing attacks,” wrote SYSS. “By using a modified printed photo of an authorized user, an unauthorized attacker is able to log in or to unlock a locked Windows 10 system as this spoofed authorized user… Windows Hello face authentication can easily be bypassed with little effort.”
The details of how Windows is fooled into authenticating the printed photo are unclear. The most important component of the attack seems to be the near-IR image used to masquerade as the user. This adds an element of difficulty for actors looking to exploit the flaw, since an IR photo of the target must first be obtained. However, the discovery’s still a significant weakness for Windows Hello, described by Microsoft as the “most secure way” to unlock Windows 10.
To stay secure, Windows Hello users should update to the Fall Creators Update to disable the flaw. Enabling enhanced anti-spoofing can also help to mitigate the vulnerability on the Windows 10 Creators Update.
Security researchers warned that merely installing the update isn’t sufficient to resolve the issue. Windows Hello must also be entirely reconfigured to prevent a successful attack, so facial recognition should be manually disabled and then turned back on.
