Microsoft's Windows Hello can be fooled by a printed photograph -


Post Top Ad

Post Top Ad

Wednesday, 27 December 2017

Microsoft's Windows Hello can be fooled by a printed photograph

Facial recognition systems such as Microsoft's Windows Hello , are increasingly present and we rely almost blindly on them to protect access to our devices. Almost all operating systems give users the ability to use facial recognition systems to log in and access secure areas, but it has been proven that they are also vulnerable.

Windows Hello from Microsoft, the system that allows to initiate session of Windows 10 by means of facial recognition, can be deceived with a printed photograph.

Matthias Deeg and Philipp Buchegger, computer security research experts from the German company SySS GmbH. They have published three videos in which they test several computers with different versions of the latest Microsoft operating system.

According to his research, Windows 10 Anniversary Update is vulnerable to an identity theft attack using an infrared photo printed with certain very specific characteristics of an authorized person. However, the systems with the Creators Update, launched in the first half of this year, and the Fall Creators Update, released about two months ago, are immune to these methods if the computers support the anti-spoofing feature and have it activated.

In addition to the different versions of Microsoft Windows Hello tested, the SySS team also evaluated a number of computers where this system is available, and the failure has been discovered on the Microsoft platform and other computers, such as Dell Latitude.

Not being a simple failure to discover, Microsoft's attack on Windows Hello is very real and can be used in real scenarios, for unauthorized access to machines and computers. Although, an average user would not have to worry because the preparation of such an attack would need a lot of logistics and several tests to come up with an impression capable of tricking Microsoft's authentication: a photograph taken with a near infrared camera, having a brightness and a specially modified contrast, in addition to being printed with a laser printer. Certainly something difficult, but not impossible ...

The recommendations of these experts to avoid as far as possible the attack on Windows Hello from Microsoft are only three. The first is that all the systems are updated for the Fall Creators Update version of Windows 10, where the Hello is more robust and requires a much greater precision to work.

The second recommendation goes in the sense that this biometric system is recalibrated in machines that use it, being collected new images of the user. Finally, it is also advised to activate Hello's anti-spoofing system, which can be found in the most recent versions.

Microsoft has not yet commented on Microsoft's Windows Hello vulnerability although it has already been notified by SySS for this problem. However, since the Fall Creators Update appears to be less vulnerable, it should have addressed this problem.

After the Samsung facial recognition system broke up with a photo and the face ID itself has had problems with twins and other people, it is now Microsoft's Windows Hello turn to be the victim and present serious security vulnerabilities. This was a system presented as safe and that has served as an example to others, to show its robustness, which now falls to the ground.

No comments:

Post a Comment

Post Top Ad