We always insist on the importance of correctly protecting our PC session to prevent unauthorized users from having access to our data. Using a long and complex password is ultimately the best option, but it is also the least practical. Therefore, with the arrival of Windows 10, Microsoft implemented a series of biometric login systems that would allow us to login to the PC quickly and easily, and in the safest possible way. This is Windows Hello .
Windows Hello allows us to log into the PC in several different ways. The most used technique for this process is the PIN , a 4-digit code that we can enter into the PC to unlock the session, similar to a credit card code. We can also log in using the fingerprint (if our PC has a reader), use a security key to unlock the PC instantly, and even a webcam , with infrared, to recognize our face and allow us to enter the PC.
Initially, these advanced login systems are safe and, they are not supposed to endanger our PC in any way. However, they have found a way to fool the facial recognition system.
This is how they can fool Windows Hello with a fake webcam
A group of hackers has been able to demonstrate how easy it is to create a fake USB webcam , with a micro-computer similar to the Raspberry Pi, which is responsible for sending infrared images designed for this purpose, directly to the Windows Hello controller. And he accepts them without any problem.
The problem is that, by default, Windows Hello supports that any camera with infrared support is a Windows Hello camera. It does not check any other way nor does it have any other requirement to be considered “safe”, but simply by having infrared it can already be used for facial recognition.
The only thing that we would need to be able to carry out this cyber attack is an infrared capture of the person in question and a photo of the same in black and white . The former is used as an identification system, while the latter is a “proof of life”.
Hackers can get the IR image of the person in many different ways. For example, they can take long-distance infrared captures, or place covert cameras in the person’s environment, such as in an elevator.
Microsoft has admitted the failure
Microsoft has been quick to admit the security issue, which has already been registered as CVE-2021-34466 . While the company finds a way to mitigate this security flaw (something that, admittedly, is complicated), Microsoft has recommended that users turn on enhanced login security. Thanks to it, only OEM trusted cameras can be used as a Windows Hello authentication system.
In this way, the external USB camera could not inject the image and fool the login system. Unfortunately, the list of OEM cameras validated by Microsoft is very small, and we may have problems.
We remember that we can also use a PIN, or a fingerprint, to log in if we do not want to have Windows Hello activated for now.