The vulnerability was announced by German pentest outfit Syss at Full Disclosure.
Even if you’ve installed the fixed versions that shipped in October – builds 1703 or 1709 – facial recognition has to be set up from scratch to make it resistant to the attack.
The “simple spoofing attacks” described in the post are all variations on using a “modified printed photo of an authorised user” (a frontal photo, naturally) so an attacker can log into a locked Windows 10 system.
On vulnerable versions, both the default config, and Windows Hello with its “enhanced anti-spoofing” feature enabled, Syss claimed.
“If ‘enhanced anti-spoofing’ is enabled, depending on the targeted Windows 10 version, a slightly different modified photo with other attributes has to be used, but the additional effort for an attacker is negligible.”
They tried to change the Surface Pro’s config to “enhanced anti-spoofing”, but claimed its “LilBit USB IR camera only supported the default configuration and could not be used with the more secure face recognition settings.”
The researchers published three proof-of-concept videos, below. ®