Vulnerability Found In Windows Hello Facial Recognition

Share post:

A potential vulnerability in Microsoft’s Windows Hello facial recognition system was recently discovered by security firm CyberArk.

Unlike Apple’s FaceID, which lets users use the feature only with cameras embedded in their latest iPhones and iPads, Hello facial recognition works with a number of third-party webcams.

By manipulating a USB webcam to deliver an image selected by attackers, researchers discovered that Windows Hello could be tricked into thinking the device owner’s face was present.

Microsoft called the vulnerability “Windows Hello security feature bypass vulnerability.” The company released patches on Tuesday which helped fix the issue.

The company also suggests that users use “Windows Hello enhanced sign-in security.”

A researcher from the security firm CyberArk, Omer Tsarfati, took a closer look at the vulnerability discovered and explained: “We tried to find the weakest point in the facial recognition and what would be the most interesting from the attacker’s perspective, the most approachable option. We created a full map of the Windows Hello facial-recognition flow and saw that the most convenient for an attacker would be to pretend to be the camera, because the whole system is relying on this input.”

For more information, read the original story in Arstechnica.

Featured Tech Jobs


Related articles

All Okta customer support users had their email addresses copied

Identity and access provider Okta now says the threat actor who accessed its customer help desk system last month got the names and email addresses of all contacts of organizations that use its support system. Originally, the company said that, after an investigation, it determined only one per cent of the contacts from its 18,000

Failure of technology to detect attacks is a prime cause of breaches: Survey

Despite the money being poured into cybersecurity by IT departments, the leading cause of breaches of security controls was the failure of technology to detect an attack, a new survey from Trellix suggests. Forty-two per cent of respondents to the international survey of infosec leaders whose organization had suffered a recent cyber attack said their

Canadian group gets $2.2 million to research AI threat detection for wireless networks

Ericsson Canada and three universities have been awarded funds by the National Cybersecurity

Cyber Security Today, Nov. 29, 2023 – More ransomware attacks on the healthcare sector

This episode reports on a company hit twice by a ransomware gang, the arrest in Ukraine of the alleged head of a ransomware gang

Become a member

New, Relevant Tech Stories. Our article selection is done by industry professionals. Our writers summarize them to give you the key takeaways