CyberArch, a cybersecurity company, has found a way to hack Windows Hello, according to technology website Wired. Windows Hello can be hacked with an infrared (IR) image of the computer owner.
Cameras with RGB and IR sensors are required to use Windows Hello. But CyberArc researchers say only infrared frames are processed by Windows Hello. To verify the accuracy of their findings, the researchers loaded a custom USB device with multiple IR frames for the computer owner, and an RGB frame for popular cartoon character SpongeBob. Hello, select the USB device as the USB camera. Microsoft’s facial recognition system unlocks the computer by analyzing one of the infrared frames on the device.
Researchers say more images are needed to trick Windows Hello. A Windows Hello based computer can be unlocked with an IR and a black bezel.
However, in real life, hacking Windows Hello in this way is also a very difficult task, Wired admitted. Because hacking requires at least one IR frame for the computer owner’s photo. However, the tech site fears that such flaws in a system designed to ensure customers’ personal safety could pose significant risks.
The site said that as tech companies move from password-based authentication systems to biometric technology, the site will have to take responsibility for the reliability of these technologies. Since Windows Hello is the most widely used facial recognition system, CyberArc decided to test its reliability.
After tricking Windows Hello with an IR Frame, Microsoft released a patch called “Hello Security Feature Bypass Vulnerability” as a workaround. However, for extra caution, the company has suggested turning on Enhanced Windows Hello Login Security. This feature encrypts the user’s face data.