Communications of the ACM
Hackers Got Past Windows Hello by Tricking Webcam
A new method of duping Microsoft's Windows Hello facial recognition system shows a little hardware fiddling can trick the system into unlocking when it should not.
Credit: Ars Technica
Researchers at the security firm CyberArk uncovered a security feature bypass vulnerability in Microsoft's Windows Hello facial recognition system that permitted them to manipulate a USB webcam to unlock a Windows Hello-protected device.
CyberArk's Omer Tsarfati said, "We created a full map of the Windows Hello facial-recognition flow and saw that the most convenient for an attacker would be to pretend to be the camera, because the whole system is relying on this input."
Hackers would need a good-quality infrared image of the victim's face and physical access to the webcam to take advantage of the vulnerability.
Said Tsarfati, "A really motivated attacker could do those things. Microsoft was great to work with and produced mitigations, but the deeper problem itself about trust between the computer and the camera stays there."
Microsoft has released patches to fix the issue.
From Ars Technica
View Full Article
Abstracts Copyright © 2021 SmithBucklin, Washington, DC, USA
No entries found