Fool Windows Hello with a fake camera

CyberArk security researchers have found a way to fool the Windows Hello facial recognition system on Windows. They found that Windows Hello's authentication system only focused on processing the image data collected by the infrared sensor.

CyberArk experimented by creating a custom USB camera. They then loaded the infrared image of the user and the RGB image of the Spongebob cartoon character into a data stream that passed from the USB camera to the Windows Hello authentication system.

The system accepts this custom USB camera and even unlocks Windows computers based on infrared images alone, ignoring irrelevant RGB images. The researchers even found that Windows Hello's authentication system only needed an IR frame and a black image to accept the unlock.

Fool Windows Hello with a fake camera Picture 1

To exploit this vulnerability, the hacker must have at hand an infrared image of the user's face. This is a difficult thing but not impossible. Hackers can break into surveillance camera systems that are installed everywhere to get images of the person they want to attack.

Obviously this is a weak point in Microsoft's security system. Software giants need to make sure their authentication technology is secure as users increasingly rely on biometric security instead of passwords.

Microsoft has admitted this is a vulnerability in the Windows Hello security feature. This vulnerability is assigned the code CVE-2021-34466 and is being researched by Microsoft to find a fix. In the meantime, Microsoft recommends users to use Windows Hello Enhanced Sign-in Security to ensure safety.

However, CyberArk cautions users that not all devices support Windows Hello Enhanced Sign-in Security.

Marvin Fry

Update 19 July 2021