Sign In

Communications of the ACM

ACM TechNews

Hackers Got Past Windows Hello by Tricking Webcam

View as: Print Mobile App Share:
These Windows Hello bypasses would not be easy to carry out in practice.

A new method of duping Microsoft's Windows Hello facial recognition system shows a little hardware fiddling can trick the system into unlocking when it should not.

Credit: Ars Technica

Researchers at the security firm CyberArk uncovered a security feature bypass vulnerability in Microsoft's Windows Hello facial recognition system that permitted them to manipulate a USB webcam to unlock a Windows Hello-protected device.

CyberArk's Omer Tsarfati said, "We created a full map of the Windows Hello facial-recognition flow and saw that the most convenient for an attacker would be to pretend to be the camera, because the whole system is relying on this input."

Hackers would need a good-quality infrared image of the victim's face and physical access to the webcam to take advantage of the vulnerability.

Said Tsarfati, "A really motivated attacker could do those things. Microsoft was great to work with and produced mitigations, but the deeper problem itself about trust between the computer and the camera stays there."

Microsoft has released patches to fix the issue.

From Ars Technica
View Full Article


Abstracts Copyright © 2021 SmithBucklin, Washington, DC, USA


No entries found

Sign In for Full Access
» Forgot Password? » Create an ACM Web Account