Windows 10 Hello face recognition can be fooled with photos

After you update, set it up again from scratch


If you've skipped recent Windows 10 Creators Updates, here's a reason to change your mind: its facial recognition security feature, Hello, can be spoofed with a photograph.

The vulnerability was announced by German pentest outfit Syss at Full Disclosure.

Even if you've installed the fixed versions that shipped in October – builds 1703 or 1709 – facial recognition has to be set up from scratch to make it resistant to the attack.

The “simple spoofing attacks” described in the post are all variations on using a “modified printed photo of an authorised user” (a frontal photo, naturally) so an attacker can log into a locked Windows 10 system.

On vulnerable versions, both the default config, and Windows Hello with its “enhanced anti-spoofing” feature enabled, Syss claimed.

“If 'enhanced anti-spoofing' is enabled, depending on the targeted Windows 10 version, a slightly different modified photo with other attributes has to be used, but the additional effort for an attacker is negligible.”

The researchers tested their attack against a Dell Latitude running Windows 10 Pro, build 1703; and a Microsoft Surface Pro running 4 build 1607.

They tried to change the Surface Pro's config to “enhanced anti-spoofing”, but claimed its “LilBit USB IR camera only supported the default configuration and could not be used with the more secure face recognition settings.”

The researchers published three proof-of-concept videos, below. ®

Youtube Video

Youtube Video

Youtube Video


Keep Reading

Microsoft buys Affirmed Networks to provide cloudy services for 5G network operators

Vodafone, Orange, AT&T, and Softbank are already users, will soon have Azure option

No Huawei, America: Samsung scores $6.6bn for 5G at US giant Verizon

Remember how established carrier vendors were going to clean up after Huawei bans? Not so much, maybe ...

The seven deadly sins letting hackers hijack America's govt networks: These unpatched bugs leave systems open

'Unauthorized access to elections support systems' detected tho 'no evidence to date that integrity of elections data has been compromised'

Samsung combines 5G, AI, drones and cloud in conspiracy ... to ease network maintenance costs

To save telco workers from climbing the greasy pole as networks get denser

UK smacks Huawei with banhammer: Buying firm's 5G gear illegal from year's end, mobile networks ordered to rip out all next-gen kit by 2027

Country to be hit with £2bn cost, massive tech delay after firm 'materially compromised' by latest US sanctions

Poor, poor mobile networks. UK's comms watchdog plans to stop 'em selling locked-down handsets

First OTT apps nick their SMS revenue, now this...

Homeland Security demands a 911 for reporting security holes in federal networks: 'Vulns in internet systems cause real-world impacts'

Great – and who will be the first responders?

Extreme Networks misses death-of-Flash deadline, suggests winding back PC clocks to keep its GUI alive

Promises new client ‘within days’ but had years to make the fix

Biting the hand that feeds IT © 1998–2021