With Windows Hello, Microsoft aimed to provide a simple, secure way to authenticate while also addressing the challenge of being compatible with webcams from a variety of brands. According to the latest reports, there is a vulnerability in the system, which was discovered by researchers from CyberArk, a computer security company. They managed to trick the Hello facial recognition system using facial images of the computer owner.
Windows Hello requires a visible / infrared camera, but examining how the system works has led researchers to conclude that only infrared footage is actually processed. To test their conclusion, the researchers created a special USB device into which they loaded infrared photographs of the user and images of SpongeBob in RGB format. The system recognized the device as a USB camera and unlocked. Moreover, one image taken in the infrared range and a completely black frame turned out to be enough.
Of course, in reality it would not be so easy to hack someone’s computer using this technique, since the attacker needs an IR photograph of the user. And although you can still get it if necessary, it doesn’t matter now, provided that updates are timely installed: on July 13, Microsoft released a patch for Windows 10 that eliminates the described vulnerability.