With even Apple jumping on the bandwagon, facial recognition - alongside other forms of biometric identification - have become increasingly popular on consumer devices over the last few years. Though these forms of identification are expected to be more secure and personalised than passwords, sometimes they can be circumvented with the simplest of hacks.
Syss, a security firm based in Germany, has discovered such a vulnerability in Microsoft"s implementation of biometric identification in Windows 10, dubbed Windows Hello. A bevvy of new devices from the company"s partners are starting to include support for facial recognition as a way of unlocking the device but as Syss claims, a simple printout can be used to trick the system.
In a series of proof-of-concept videos published by the firm, Syss shows how Windows Hello on devices running a version of Windows released before the Creators Update can be tricked by taking a headshot of the user in question with a near IR (infrared) camera, and then holding a slightly modified laser printout of the photo in front of the camera. This does mean that Windows Hello cannot be circumvented using just any picture and that the exploit requires special equipment and some image modifications to work.
The hack was proven to work on both a Dell Latitude with a LitBit camera attached via USB and the Surface Pro 4. On those older versions of Windows 10, Syss found that even with the more secure anti-spoofing mode enabled, Windows Hello fell victim to the trick, while newer builds of Windows 10 - Builds 1703 and 1709, respectively - were mindful of the trick with anti-spoofing on. Unfortunately, turning it off resulted in even the latest official version of Windows 10 accepting the printout as valid identification.
Even worse, it seems that simply having the Fall Creators Update (Build 1709) installed with anti-spoofing on is not enough, as you also need to set up the facial recognition on Windows Hello again if the setup was initially performed on an older version of Windows.
Users who frequently rely on Windows Hello to unlock their devices should update to the latest version of Windows 10 through the settings app, enable the anti-spoofing mode and redo the setup in order to make sure their data remains secure.
This is yet another example of just how far the technology has to go. Apple found out the hard way, through elaborate and complicated setups, and even something as simple as a family member that looks similar. Different companies also seem to have different levels of success with their implementation - Windows Hello, for example, can distinguish between twins while Apple"s Face ID cannot. As it stands, it"s best users employ a combination of different authentication schemes in order to achieve the best results.
Source: SYSS via The Register, ZDNet