The facial recognition system developed by Microsoft could be bypassed quite easily, according to cybersecurity researchers.
Biometric security continues to gradually become widespread and replace the old password. Smartphones were among the first to generalize the fingerprint sensor or facial recognition, but computers are not left out.
This is how Microsoft praised Windows Hello, biometric security based on facial recognition. However, since Windows has to run on so many different configurations, this system would not be that secure.
An infrared image is enough to fool the system
To make Windows Hello work, your computer must be equipped with a webcam incorporating an infrared sensor in addition to its main sensor, in order to provide reliable information to the system allowing the computer to be unlocked. Nevertheless, it would seem that Windows do not be too careful about the infrared data collected.
As explained by Omer Tsarfati, cybersecurity researcher for CyberArk with Ars Technica, the system developed by Microsoft is not as secure as it thinks. “We tried to find the weak point of facial recognition” he explains, specifically targeting the infrared system.
Since Windows has to accommodate many different configurations, it would actually be enough to replace the real-time data provided by the infrared sensor with an infrared image of the owner of the device. “The easiest thing for an attacker would be to pretend to be the camera, because the whole system relies on his information” specifies the researcher.
However, this type of attack is not that easy to set up. The attacker must indeed have access to the targeted computer and have a correct infrared image of the owner of the device. This does not prevent Microsoft from worrying about it and having called this problem a “Windows Hello security feature bypass vulnerability” while publishing yet another security patch to plug the flaw.