Security firm CyberArk reports that Windows Hello, the official Windows authentication system that allows you to log on with a PIN code, fingerprint or face recognition, can break through with infrared images.
According to Microsoft’s official announcement, Windows Hello is the most widely used authentication system as it is adopted by 85% of Windows users. CyberArk, which revealed the Windows Hello vulnerability, paid attention to the fact that Windows Hello also supports infrared-compatible webcams. In the case of infrared images, based on the assumption that the verification process is insufficient, they succeeded in breaking through Windows Hello by making a modified USB camera that transmits the infrared image version of the captured or reproduced target face image to the authentication system.
The modified USB camera has a structure that, when connected, transmits an infrared image version of the target face image made in advance to the authentication system. When connected to Windows Hello specification via USB, the camera is automatically recognized and used for authentication. After connecting, clicking the face authentication login button succeeds in breaking through.
According to CyberArk, Windows Hello has a function to detect still images when using a normal camera, but there is a bug that this function does not apply to infrared images. Therefore, CyberArk is stating that the problem is with the way data is processed by the webcam rather than the problem with the Windows Hello face recognition function itself.
The vulnerability was assigned the identifier CVE-2021-34466 and was fixed by the July 13, 2021 security update. This CyberArk announcement was made after waiting for a response from Microsoft. CyberArk also found no evidence that the technology was actually used. Related information can be found here.