[ad_1]
It is biometric authentication a key piece of technology industry plans make the world without a password. But a new method by Microsoft Windows Hello the face recognition system shows that doing a little bit of hardware can trick the system into unlocking when it’s not needed.
Services like Apple’s FaceID facial recognition authentication has become more common in recent years as they push Windows Hello even further. Apple allows you to use FaceID with the latest cameras introduced on iPhones and iPads, and is not yet compatible on Macs. But because Windows hardware is so diverse, Hello Face Knowledge works with a set of third parties webcams. Where some may find it easy to adopt, however, researchers at the security company CyberArk have seen potential vulnerability.
In fact, you can’t rely on an old webcam to offer strong protection on how to collect and transmit data. Windows Hello Face Recognition only works with webcams with an infrared sensor in addition to the usual RGB sensor. It seems, however, that the system does not pay attention to RGB data. This means that with a straight infrared image of a target’s face and a black frame, the researchers found that they could unlock the victim’s Windows Hello protected device.
By manipulating a USB webcam to give the chosen image to the attacker, investigators may trick Windows Hello into thinking that the device owner’s face was there and unlock it.
“We tried to find the weakest point in face recognition and the one that would be most interesting from an attacker’s point of view, the closest option,” says security firm CyberArk researcher Omer Tsarfati. “We created a full map of the knowledge flow of the Windows Hello face, and we saw that the most convenient for an attacker would be to look like a camera, because the whole system is based on that input.”
Microsoft calls the discovery “Windows Hello Security Feature Bypass Vulnerability.” released patches to address the issue on Tuesday. The company also suggests that users enable “Windows Hello Enhanced Login Security,” which uses Microsoft’s “Virtualization-Based Security” to encrypt Windows Hello facial data and process it in a protected area of manipulated memory. The company did not respond to a request for comment from WIRED on CyberArk’s findings.
From Tsarfa, who will present the findings at the Black Hat security conference in Las Vegas next month, the CyberArk team has chosen to study Windows Hello face recognition authentication primarily because it has done a lot of research in the industry. PIN crack and fingerprint sensor spoofing. The group added that it created a large Windows Hello user base. In May 2020, Microsoft said the service had more than 150 million users. In December, the company he added 84.7% of Windows 10 users sign in with Windows Hello.
Although it may seem simple, show two photos to the system and you are, these Windows Hello bypasses would not be easy to do in practice. The hack requires attackers to have a good quality infrared image of the target’s face and physical access to their device. But the concept is significant because Microsoft continues to push to adopt Hello with Windows 11. How Windows devices can support hardware diversity and the deplorable state of IoT security can be combined with how Windows Hello supports face data.
“A really motivated attacker can do those things,” Tsarfa says. “Microsoft did a great job and streamlined them, but the deep problem of trust between the computer and the camera remains the same.”
[ad_2]
Source link
