CyberArk researchers tricked Windows Hello, the passwordless authentication system built into Windows 10 and Windows 11, using a single infrared image accompanied by an all-black frame.
Windows Hello encompasses three authentication methods: a user-generated PIN, a fingerprint scanner, and a facial recognition tool. The researchers at CyberArk specifically targeted its facial recognition capabilities, but issues have also been discovered in other aspects of the system.
The facial recognition feature requires a camera with both RGB and infrared sensors on-board. CyberArk’s researchers discovered that only frames captured by the infrared sensor are used during the authentication process, however, which is where their exploit comes in.
CyberArk said the flaw “allows an attacker with physical access to the device to manipulate the authentication process by capturing or recreating a photo of the target’s face and subsequently plugging in a custom-made USB device to inject the spoofed images to the authenticating host.”
The exploit only requires two frames to function: One valid infrared frame of the target and at least one RGB frame containing seemingly anything else. The researchers said that during one test “the RGB frames we sent were images of SpongeBob, and to our surprise, it worked!”
These flaws could have caused serious issues for Windows Hello users. That’s a sizable market: Microsoft said in December 2020 that “the number of consumers using Windows Hello to sign in to Windows 10 devices instead of a password grew to 84.7 percent from 69.4 percent in 2019.”
The company didn’t reveal what percentage of those Windows Hello users rely on facial recognition compared to the amount using a fingerprint scanner or only using a PIN, but with 1.3 billion Windows 10 users, even a relatively small share could affect millions of devices.
Microsoft released a patch related to this vulnerability on July 13. CyberArk plans to reveal more information about the exploit—and the mitigations included with that patch—at Black Hat 2021.