Security Researchers Bypassed Windows Hello By Tricking A Webcam

Windows Hello? More like Windows Goodbye.


Biometric authentication is now quite common among smartphones and other mobile devices. Fingerprint authentication, face unlock have been available for a while now, before laptops or desktops got them. Windows Hello is Microsoft’s passwordless authentication service to let users sign in to Windows. However, security researchers were able to bypass Windows Hello’s face unlock.

Windows Hello is incorporated with three authentication methods: PIN-based unlock, fingerprint authentication, and facial recognition.

Tricking A Webcam To Bypass Windows Hello

Likewise, Windows Hello’s facial recognition doesn’t work on all webcams. Microsoft requires webcams to have an extra infrared sensor and the regular RGB sensor to make them secure. Researchers at CyberArk bypassed Windows Hello by tricking a webcam.

The fact that old webcams do not include IR sensors makes them incompatible with Windows Hello Face. Facial recognition requires a frame from the RGB sensor and another from the IR sensor. The researchers tricked Windows Hello by manipulating a USB webcam to deliver a user-provided image.

“We created a full map of the Windows Hello facial-recognition flow and saw that the most convenient for an attacker would be to pretend to be the camera because the whole system is relying on this input,” says Omer Tsarfati, a researcher at CyberArk.

Windows Hello Attack Path Diagram
Windows Hello Attack Path Diagram. Source: CyberArk

As mentioned before, Windows Hello’s framework only requires two frames: one from the RGB sensor and one from the IR sensor. A researcher from CyberArk said that during a test, “the RGB frames we sent were images of SpongeBob, and to our surprise, it worked!” Does this mean that Windows Hello isn’t all that secure?

Certainly, Microsoft faced a blow on its face. The tech giant released a patch for the same vulnerability on July 13. CyberArk plans to investigate further into the security flaws of Windows Hello and unveil it to the world later.

Although it’s not easy to bypass it just like that. The process is complicated and rests assured, and most users aren’t at risk.

Do you use Windows Hello Face? Let us know in the comments below.

Siddharth Dudeja

Siddharth Dudeja

An engineering student with a keen interest in most aspects of technology. Likes to write about Microsoft, Apple, Laptops, Gaming, etc.
More From Fossbytes

Latest On Fossbytes

Find your dream job