If you’ve skipped recent Creators Updates, here’s a reason to change your mind: its facial recognition feature, Hello, can be spoofed with a photograph.

The vulnerability was announced by German pentest outfit Syss at Full Disclosure.

Even if you’ve installed the fixed versions that shipped in October – builds 1703 or 1709 – facial recognition has to be up from scratch to make it resistant to the attack.

The “simple spoofing attacks” described in the post are all variations on using a “modified printed photo of an authorised ” (a frontal photo, naturally) so an attacker can log into a locked Windows 10 system.

On vulnerable versions, both the default config, and Windows Hello with its “enhanced anti-spoofing” feature enabled, Syss claimed.

“If ‘enhanced anti-spoofing’ is enabled, depending on the targeted Windows 10 version, a slightly different modified photo with other attributes has to be used, but the additional effort for an attacker is negligible.”

The tested their attack against a Dell Latitude running Windows 10 Pro, build 1703; and a Microsoft Surface Pro running 4 build 1607.

They tried to change the Surface Pro’s config to “enhanced anti-spoofing”, but claimed its “LilBit USB IR camera only supported the default configuration and could not be used with the more secure face recognition settings.”

The researchers published three proof-of-concept videos, below. ®

Youtube Video

Youtube Video

Youtube Video



Source link

No tags for this post.

LEAVE A REPLY

Please enter your comment!
Please enter your name here