Windows facial recognition has been deceived by cybersecurity specialists. The attack is much less serious than one might think, but reminds us that biometric authentication is not foolproof.
Identifying yourself with your fingerprint or via a facial recognition mechanism is not without all risks. Further proof of this has been provided by security specialists at CyberArk.
Facial recognition deceived
In a blog post dated July 13, 2021, the firm explains how it managed to cheat Microsoft’s facial recognition mechanism dubbed Windows Hello. With a little willpower and a fair bit of technical knowledge, it was possible to unlock a computer and access its content as if the person were standing right in front of their screen.
Unlike Apple’s FaceID technology which is only available on the brand’s devices, Windows Hello can be adopted by all webcam manufacturers. By simply purchasing a webcam with infrared sensor, it is possible to activate the facial recognition feature on Windows. And unfortunately, this diversity of material also implies a diversity in the security measures put in place.
As CyberArk explains, it is possible to trick a Windows Hello webcam by “injecting” an infrared photo of the owner of the computer into the authentication circuit. Facial recognition information transmitted by the webcam to the system is not always secure, it is possible to replace it on the fly with a photo. This photo will make the system believe that it is indeed the owner of the machine who is in front of his computer.
A risk to be largely tempered
Windows Hello based webcams have an infrared sensor and a standard photo sensor. Except that the identification mechanism only relies on the infrared image, making the hack a little easier since there is no need to have two images (standard and infrared) of the target to trick the PC .
All the same, we must temper the scope of such a flaw. First of all because Microsoft deployed a patch to correct the bug a few days ago, and above all because physical access to the machine was needed to exploit such a flaw. An infrared photo of someone’s face is not easily obtained either.
CyberArk readily admits it. The best way to get an infrared scan of a face is to ” walk past the person equipped with a camera or place that IR camera in a place that the person will pass through, such as an elevator. […] Thanks to the advanced technologies of IR cameras, it is possible to take this photo even at a distance, for example from across the street or from a car. We are more in a James Bond scenario than in a situation that the general public will encounter.
Biometrics is not foolproof
Nevertheless, this finding is interesting. First, because according to Microsoft, 84.7% of Internet users who connect to Windows 10 do so through Windows Hello. The attack surface was therefore considerable, even if CyberArk writes in black and white that the exploitation of such a flaw outside its labs has not been proven.
Experimentation also shows that biometric authentication, which was designed to replace passwords, is not infallible. Facial recognition can be fooled, just like fingerprint recognition. No mechanism is infallible and a determined hacker will almost always be able to penetrate a machine, whether it is protected by a password or a biometric key.
These authentication methods are nevertheless more secure than a password since it requires more knowledge and more resources. Unless you are a super spy wanted by all the governments of the world, there is no need to panic.