Researchers from CyberArk used a single infrared picture followed by an all-black frame to fool Windows Hello, the password less login mechanism integrated into Windows 10 and Windows 11. 

Windows Hello uses a user-generated PIN, a fingerprint scanner, and a face recognition technology to authenticate users. The researchers at CyberArk focused on the system’s face recognition capabilities, but flaws were identified in other areas as well. 

A camera with both RGB and infrared sensors is required for the facial recognition capability. However, CyberArk’s researchers noticed that throughout the authentication process, only frames collected by the infrared sensor are used, which is where their vulnerability comes in. 

According to CyberArk, the weakness “allows an attacker with physical access to the device to influence the authentication process by taking or reproducing a photo of the target’s face and then injecting the faked photos to the authenticating host via a custom-made USB device.” 

Only two frames are required for the attack to work: one legitimate infrared frame of the target and at least one RGB frame containing virtually anything else. “The RGB frames we transmitted were photos of SpongeBob, and to our amazement, it worked!” the researchers claimed in one test. 

These vulnerabilities have the potential to cause significant problems for Windows Hello users. That’s a significant market: “The number of customers utilizing Windows Hello to sign in to Windows 10 devices instead of a password rose to 84.7 percent from 69.4 percent in 2019,” Microsoft reported in December 2020. 

The firm didn’t say how many Windows Hello users utilize face recognition vs how many use a fingerprint scanner or just use a PIN, but with 1.3 billion Windows 10 users, even a tiny proportion may harm millions of computers. 

On July 13, Microsoft issued a fix for this vulnerability. At Black Hat 2021, CyberArk aims to share further details about the exploit—as well as the mitigations contained in the patch.