Microsoft quietly updated Windows 10 to fix 'Hello' facial recognition flaw

Just a simple photo was all it took to get round Microsoft's 'Hello' facial recognition in Windows 10, say SySS researchers

Microsoft has quietly updated a security flaw in its Windows 10 'Hello' facial recognition system, which enabled attackers to authenticate simply by using a printed photo of the device owner.

Microsoft developed Hello to add an extra layer of biometric protection to the Windows 10 operating system. It makes use of infrared imaging to unlock devices such as, desktops, laptops and tablets.

These devices need to have cameras that sport infra-red sensors, but the technology has already proven to be popular among people with access to such hardware.

To get into a device using the Hello system, someone only needs to print out a coloured photo of the device's owner

However, according to a report from German security firm SySS GmBH, attackers can use the simplest method to hack the biometrics system: simply printing out a low-resolution photo of the owner of the device.

"To circumvent Windows Hello Face Authentication on numerous Windows 10 versions in an unauthorised way, an attacker only needs a special paper printout on the face of an authorized person," said the researchers.

To get into a device using the Hello system, someone only needs to print out a coloured photo (around 340x340 pixels) of the device's owner. Researchers were able to get into several devices through this method.

"With paper printouts of this type, it is possible to successfully bypass Windows Hello Face Authentication in different versions of Windows 10 with different hardware and software configurations," they said.

"Windows 10 face recognition is an integral part of the Windows Biometric Framework (WBF), which is a core component of the Windows 10 operating system.

"Windows Hello Face Authentication uses information from a special near-infrared camera (near-IR camera) and, depending on the Windows 10 version used, additional information from an RGB camera for user authentication."

The worrying thing is that Hello actually has an "enhanced anti-spoofing feature". But the researchers will still able to bypass it and get into a device.

The researchers noted that while Microsoft has delivered a patch for Windows 10 branches 1703 and 1709, they don't extend to 16** releases.

"SySS recommends to update to the latest revision of Windows 10 version 1709, to enable the 'enhanced anti-spoofing' feature, and to reconfigure Windows Hello Face Authentication afterwards," added the researchers.