Face recognition of 'Windows Hello' turned out to be able to break through with infrared images
by
CyberArk, a security company, reported that 'Windows Hello, ' the official Windows authentication system that allows you to log on with a PIN code, fingerprint authentication, or face authentication, 'can break through with infrared photos.'
Bypassing Windows Hello Without Masks or Plastic Surgery
https://www.cyberark.com/resources/threat-research-blog/bypassing-windows-hello-without-masks-or-plastic-surgery
Windows Hello bypassed using infrared image --The Record by Recorded Future
https://therecord.media/windows-hello-bypassed-using-infrared-image/
According to Microsoft's official announcement , Windows Hello is one of the most widely used authentication systems, adopted by 85% of Windows users. CyberArk, who has been working on this vulnerability in Windows Hello, noticed that Windows Hello even supports infrared-enabled webcams. Based on the assumption that the verification process may be inadequate in the case of infrared video, we created a 'modified USB camera that sends an infrared video version of the captured or reproduced target's face photo to the authentication system'. You have succeeded in breaking through Windows Hello.
The video of the verification test is below.
The actual Windows Hello is used in the experiment.
This is the semiconductor board of the modified USB camera. When connected, the infrared image version of the target's face photo created in advance is sent to the authentication system.
Due to the specifications of Windows Hello, the camera is automatically recognized and used for authentication just by connecting via USB.
After connecting, just click the 'Login with face recognition' button and the breakthrough is successful.
According to CyberArk, Windows Hello has a function to detect that it is a still image when using a normal camera, but there is a problem that this function is not applied to infrared images. As a result, CyberArk notes that 'it's not the problem with Windows Hello's facial recognition itself, but the way it processes data from the webcam.'
The above-mentioned vulnerability has been assigned the identifier 'CVE-2021-34466 ' and has been fixed by a security update dated July 13, 2021, and this announcement of CyberArk will be waited for Microsoft's response. It was done. 'We haven't found any evidence that this technique was actually used,' said CyberArk.
A similar vulnerability was reported in 2017 as well.
Windows 10's facial recognition feature turns out to be fooled by low-resolution color copies of infrared photos-GIGAZINE
Related Posts:
