"Hackers Got Past Windows Hello by Tricking a Webcam"

Researchers from the security firm CyberArk have discovered a potential vulnerability in Microsoft's facial recognition technology. They demonstrated a new method for deceiving Microsoft's Windows Hello facial recognition system. Windows Hello facial recognition only works with webcams containing an infrared sensor and the regular RGB sensor. However, the system does not look at RGB data, meaning that with one straight-on infrared image of a target's face and one black frame, the researchers were able to unlock the victim's Windows Hello–protected device. The researchers successfully tricked Windows Hello into thinking that the device owner's face was present, and unlocking by manipulating a USB webcam into delivering an attacker-chosen image. The researchers created a complete map of the Windows Hello facial recognition and found that it would be more convenient for an attacker to pretend to be the camera since the entire system relies on that input. Microsoft considers the researchers' finding a Windows Hello security feature bypass vulnerability. The company recently released patches to address the vulnerability and suggested that users enable Windows Hello enhanced sign-in security, which applies virtualization-based security to encrypt Windows Hello face data as well as process it in a protected memory area where attackers cannot tamper with it. The CyberArk research falls into the category of hacks known as downgrade attacks in which a device is tricked into relying on a less secure mode (e.g., a malicious cell phone tower that forces a phone to use 3G mobile data, with its weaker defenses, instead of 4G). This article continues to discuss the use of infrared photos and third-party hardware to fool Microsoft's facial recognition technology. 

Wired reports "Hackers Got Past Windows Hello by Tricking a Webcam"