Researchers bypass Windows Hello authentication with fake camera and IR images

Security researchers have managed to circumvent Microsoft’s Windows Hello security system. A security company managed to trick Windows Hello facial recognition using a fake camera and infrared images from the owner of the system.

Cybersecurity firm CyberArk was able to bypass a computer’s Windows Hello security via a proprietary USB device, which was supposed to mimic a webcam and contain infrared images of the system’s owner.

Windows Hello is an authentication system for Windows PCs, which can be used in various ways. Users can deploy Windows Hello with a PIN, fingerprint, or facial recognition. For the latter, Windows Hello requires a webcam that records both RGB and infrared images.

CyberArk researchers found that the authentication system only processes the infrared frames. To verify that, the researchers made a USB device with an evaluation board from NXP. On that USB device, they placed infrared images of the Windows Hello user and color images of Spongebob. The device was recognized as a USB webcam and was successfully used to bypass Windows Hello.

Microsoft has since fixed the security problem in a patch . In a document , the company points out to users that they can disable the use of remote Windows Hello cameras if desired by adding a value to the registry in Windows. In practice, it will also be difficult to exploit this vulnerability on unpatched systems, as this would require infrared images of the system owner and physical access to the computer in question.