Windows Hello allows us to log into the PC in several different ways. The most used technique for this process is the PIN, a 4-digit code that we can enter into the PC to unlock the session, similar to a credit card code. We can also log in using the fingerprint (if our PC has a reader), use a security key to unlock your PC instantly, and even a webcam, with infrared, to recognize our face and allow us to enter the PC.
Initially, these advanced login systems are safe and, they are not supposed to endanger our PC in any way. However, they have found a way to fool the facial recognition system.
This is how they can fool Windows Hello with a fake webcam
A group of hackers has been able to demonstrate how easy it is to is to create a fake USB webcam, with a micro-computer similar to the Raspberry Pi, which is responsible for sending infrared images designed for this purpose, directly to the Windows Hello controller. And he accepts them without any problem.
The problem is that, by default, Windows Hello supports that any camera with infrared support is a Windows Hello camera. It does not check any other way or has any other requirement to be considered “safe”, but simply because it has infrared it can already be used for facial recognition.
The only thing we would need to be able to carry out this cyber attack is an infrared capture of the person in question and a photo of it in black and white. The former is used as an identification system, while the latter is a ‘proof of life’.
Pirates can get the person’s IR image in many different ways. For example, they can take long-distance infrared captures, or place covert cameras in the person’s environment, such as in an elevator.
Microsoft has admitted the failure
Microsoft has been quick to admit the security issue, which has already been registered as CVE-2021-34466. While the company finds a way to mitigate this security flaw (something that, admittedly, is complicated), Microsoft has recommended that users enable enhanced login security. Thanks to her, only the OEM trusted cameras they can be used as an authentication system with Windows Hello.
In this way, the external USB camera could not inject the image and fool the login system. Unfortunately, the list of OEM cameras validated by Microsoft is very small, and we may have problems.
We remember that we can also use a PIN, or a fingerprint, to log in if we do not want to have Windows Hello activated for now.