July 19, 2021
A potential vulnerability in Microsoft’s Windows Hello facial recognition system was recently discovered by security firm CyberArk.
Unlike Apple’s FaceID, which lets users use the feature only with cameras embedded in their latest iPhones and iPads, Hello facial recognition works with a number of third-party webcams.
By manipulating a USB webcam to deliver an image selected by attackers, researchers discovered that Windows Hello could be tricked into thinking the device owner’s face was present.
Microsoft called the vulnerability “Windows Hello security feature bypass vulnerability.” The company released patches on Tuesday which helped fix the issue.
The company also suggests that users use “Windows Hello enhanced sign-in security.”
A researcher from the security firm CyberArk, Omer Tsarfati, took a closer look at the vulnerability discovered and explained: “We tried to find the weakest point in the facial recognition and what would be the most interesting from the attacker’s perspective, the most approachable option. We created a full map of the Windows Hello facial-recognition flow and saw that the most convenient for an attacker would be to pretend to be the camera, because the whole system is relying on this input.”
For more information, read the original story in Arstechnica.
