Windows 10 Facial Recognition Feature Can Be Bypassed with a (low-res printed) Photo

LASER_oneXM

Level 37
Thread author
Verified
Top Poster
Well-known
Feb 4, 2016
2,520
You can bypass Windows Hello with a low-res printed photo
In a report published yesterday, German pen-testing company SySS GmbH says it discovered that Windows Hello is vulnerable to the simplest and most common attack against facial recognition biometrics software — the doomsday scenario of using a printed photo of the device's owner.

Researchers say that by using a laser color printout of a low-resolution (340x340 pixels) photo of the device owner's face, modified to the near IR spectrum, they were able to unlock several Windows devices where Windows Hello had been previously activated.

The attack worked even if the "enhanced anti-spoofing" feature had been enabled in the Windows Hello settings panel, albeit for these attacks SySS researchers said they needed a photo of a higher resolution of 480x480 pixels (which in reality is still a low-resolution photo).


Updates are available
According to SySS researchers, Microsoft delivered updates to patch this attack only for Windows 10 branches 1703 and 1709, but not earlier 16** releases.

"SySS recommends to update to the latest revision of Windows 10 version 1709, to enable the 'enhanced anti-spoofing' feature, and to reconfigure Windows Hello Face Authentication afterwards," researchers say.

The last step of reconfiguring Windows Hello is necessary because the attack would still work even after the update and also if the user was already using the "enhanced anti-spoofing" feature before the update, as per the third proof-of-concept video released by SySS and embedded below.

....
.......
..
.....
..........
 
D

Deleted member 65228

Do they even test this stuff before releasing?

programmermeme2.jpg
 

Tsiehshi

Level 2
Verified
Nov 11, 2017
51
You'd think others had learned from the Apple face recognition debacle

PS. I don't believe in face recognition (at least its current version relying on 2D images), because I find the whole concept is inherently easy to fool using webcams and the like. You could work with 3D face models created with special devices connected to the computer, but it may not be good enough either.
 
Last edited:

Andytay70

Level 15
Verified
Top Poster
Well-known
Jul 6, 2015
737
Good old Microsoft!
Will they ever make something flawless?
 

Danielx64

Level 10
Verified
Well-known
Mar 24, 2017
481
You'd think others had learned from the Apple face recognition debacle

PS. I don't believe in face recognition (at least its current version relying on 2D images), because I find the whole concept is inherently easy to fool using webcams and the like. You could work with 3D face models created with special devices connected to the computer, but it may not be good enough either.
Like I said once, let start looking at what used in a data center :)
 

DeepWeb

Level 25
Verified
Top Poster
Well-known
Jul 1, 2017
1,396
Article says this only works on Anniversary Update 1607. Creators Update 1703 and 1709 can't be fooled. Fearmongering for no reason. The lesson here is to make sure to update.
 
  • Like
Reactions: Azure

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top