Researchers tricked Windows 10 face identification with a photo

Security researchers fooled Windows Hello face identification with this crayon colored printed photo.

caption
Security researchers fooled Windows Hello face identification with this crayon colored printed photo.
source
YouTube/SySS Pentest TV

  • Using your face as a password seems like an ideal situation. You can’t forget it, and others can’t easily steal it.
  • But it turns out, Microsoft’s face-authentication software for some older versions of Windows 10 can be fooled rather easily with a modified photo.
  • The good news is that the latest versions of Windows 10 have fixed the flaw.

German security researchers SYSS have published a series of videos showing how they tricked Windows 10’s face authentication, known as Hello Windows, with a photo.

They tested the attack with a Dell Latitude and a Microsoft Surface Pro, and found that over a half dozen versions of Windows 10 could be tricked. They posted their findings to Full Disclosure, a site where researchers publish the holes they find, where it was first spotted by The Register’s Richard Chirgwin.

As is typical with these types of things, there are caveats. The biggest is that if you are using the latest version of Windows, the “Fall Creators Update,” (aka versions 1703 or 1709), you may be safe. Those versions fixed the flaw – but you have to set up Hello Windows from scratch. Hello Windows has a feature called “anti-spoofing,” and that feature must be turned on as well.

Another caveat is that the photo had to be modified to look like it was a scan by a near-infrared camera. Windows Hello uses near-infrared cameras to unlock devices because they work well in low light and most photographs are not taken with such cameras. In one test, they printed the photo using a printer and then colored it with a red crayon.

The lesson here is that face identification, although promising, is still far from totally foolproof, and your best bet is to make sure you always keep all your devices updated.

Microsoft had no comment on the security flaw.