Windows Hello critical vulnerability, defeated by pictures of people's faces.

[ItsMitch]

A new critical bug has emerged in Windows 10 Hello which (I dunno if the LMG team uses, maybe @nicklmg can confirm or not) bypasses its authentication by a very simple printed picture. The bug is currently affecting all Windows 10 Hello machines (Version 1607 with enabled Enhanced Anti Spoofing Feature) The user in the video sets up his Windows Hello and uses a printer to get a normal picture of his face. He uses a picture of the resolution of 340x340p (which might I add, Microsoft how the fuck you break this so badly) and the picture was awfully dark, barely showed his main features. He shows it off twice and voila, it bypasses Microsoft "secure" Microsoft Hello.

If you want a quote, here you go

Quote

Windows Hello, a new face scanning security feature in Windows 10, has been defeated with the use of a printed out picture. ZDNet reports that security researchers from German firm SYSS have defeated Windows Hello on Windows 10 machines running older versions of the operating system. Multiple versions of Windows 10 are affected, and a number of different hardware.

SYSS tested Microsoft’s own Surface Pro 4 device running last year’s Windows 10 Anniversary Update, and found it was vulnerable. Even Microsoft’s anti-spoofing feature of Windows Hello didn’t help protect systems running older versions of Windows 10. SYSS found that if the anti-spoofing feature is disabled on the Creators Update (released earlier this year) or Fall Creators Update (released in October) then you can still bypass Windows Hello. Many modern laptops do not support the anti-spoofing feature of Windows Hello, so devices are still vulnerable even with the latest Windows updates.

1

It was also found out that SOME windows devices don't support the Anti Spoofing features

The main source is from SYSS YouTube channel demonstrating the exploit. 

The quote is from The Verge: https://www.theverge.com/2017/12/21/16804992/microsoft-windows-10-windows-hello-bypass-security

Microsoft has yet to respond for comment on the matter. 

[GDRRiley]

dam you screwed up microsoft. 

[goodtofufriday]

I dont understand? Where is the vulnerability here? its just bad software.

[ItsMitch]

Just now, goodtofufriday said:

I dont understand? Where is the vulnerability here? its just bad software.

Fairly sure that using pictures shouldn't be able to fool Windows Hello, bad software or not, IR pictures, especially of poor quality shouldn't be able to bypass it. 

[Bananasplit_00]

3 minutes ago, goodtofufriday said:

I dont understand? Where is the vulnerability here? its just bad software.

really? it allows anyone with a picture of your face to get in to your device. if thats not a vulnerability idk what is

[goodtofufriday]

5 minutes ago, SC2Mitch said:

Fairly sure that using pictures shouldn't be able to fool Windows Hello, bad software or not, IR pictures, especially of poor quality shouldn't be able to bypass it. 

 

4 minutes ago, Bananasplit_00 said:

really? it allows anyone with a picture of your face to get in to your device. if thats not a vulnerability idk what is

A vulnerability is a defect in code that allows you to bypass. A face recognition software being bad at recognizing faces is not that. Its just a crap algorithm. 

[NumLock21]

The camera is detecting his real face that's popping out from behind the paper. This test if f*cking bullsh*t! They can like find something more productive like go to IKEA and get a proper desk for that Surface Pro instead of plopping it on top of a printer.

[ItsMitch]

5 minutes ago, goodtofufriday said:

 

A vulnerability is a defect in code that allows you to bypass. A face recognition software being bad at recognizing faces is not that. Its just a crap algorithm. 

Fairly sure you need code to make a software, just doesn't poof out of thin air, Microsoft still fucked up. 

[Matu20]

Not surprised at all, notebook webcams are horrible.

[Guest]

Jokes on them, my laptop doesn't even support it But seriously, that has to be one poorly thought out algorithm if its defeated by low res pictures. (Wasn't Windows Hello supposed to have depth detection too?)

Edit: Another thought, they might need to disable supporting facial logins when lighting is poor

[NumLock21]

8 minutes ago, tjcater said:

Jokes on them, my laptop doesn't even support it But seriously, that has to be one poorly thought out algorithm if its defeated by low res pictures. (Wasn't Windows Hello supposed to have depth detection too?)

Edit: Another thought, they might need to disable supporting facial logins when lighting is poor

I have it but I don't use it.

[HarryNyquist]

You mean *gasp* using someone's face, an incredibly non-unique biometric, as authentication over fingerprints or passwords actually isn't that secure?

 

How strange.

[GDRRiley]

2 hours ago, Matu20 said:

Not surprised at all, notebook webcams are horrible.

this is a 1080p one. its a microsoft surface 4 so its not bad and microsoft should have it working on their own devices  properly. 

[DrMacintosh]

Looks back at all the shade people tried to throw on Apple

[ItsMitch]

Just now, DrMacintosh said:

Looks back at all the shade people tried to throw on Apple

I mean, in apples defense it did scan the face, it was just the wrong one  

[Arika]

Can we just get rid of face recognition seems like there are more issues than benefits. Why is it so hard to type in a password...or use the fingerprint reader which is built into everything these days..I mean you can even get fingerprint locks for your goddamn fridge

[ItsMitch]

2 minutes ago, Sierra Fox said:

Can we just get rid of face recognition seems like there are more issues than benefits. Why is it so hard to type in a password...or use the fingerprint reader which is built into everything these days..I mean you can even get fingerprint locks for your goddamn fridge

Or maybe an Iris scanner that's well developed and a fingerprint reader for the ultra security conscious, in that way if someone wants to steal your computer, they'll need to steal your life. 

[ravenshrike]

8 hours ago, HarryNyquist said:

You mean *gasp* using someone's face, an incredibly non-unique biometric, as authentication over fingerprints or passwords actually isn't that secure?

 

How strange.

Eh, if it's topographically mapped as well it's pretty unique. Course, that requires a hell of a lot more sophistication than Windows Hello.

[captain_to_fire]

This is why:

 

PIN/Passcode (most secure) > fingerprint ID >  facial recognition (least secure)

 

Also, it would be better if Windows 10 will add a similar anti-brute force feature similar to smartphones which will wipe out all data after ten accumulated failed PIN/password attempts especially if Device Encryption is enabled. 

[Commodus]

9 hours ago, HarryNyquist said:

You mean *gasp* using someone's face, an incredibly non-unique biometric, as authentication over fingerprints or passwords actually isn't that secure?

 

How strange.

Face security is fine when it's done well.  This is why Apple bent over backwards with its depth sensing approach to Face ID -- so you couldn't fool it with a photo. The problem is that Hello just isn't as sophisticated.

[Ertman]

11 hours ago, goodtofufriday said:

 

A vulnerability is a defect in code that allows you to bypass. A face recognition software being bad at recognizing faces is not that. Its just a crap algorithm. 

Could one argue that a bad algorithm or bad implementation of an algorithm is a defect in the code?

[RagnarokDel]

11 hours ago, Bananasplit_00 said:

really? it allows anyone with a picture of your face to get in to your device. if thats not a vulnerability idk what is

Name me one way except a passphrase that's actually hard to find that's secure. Someone can lift your fingerprints pretty easily. Eyeballs are a pain in the ass so nobody wants to use that, especially if you have glasses/contact lenses. Just use a random passphrase. It's not rocket science.

[AlTech]

A) Using an irrelevant and out of date version of Windows 10

B) I'm calling bullshit.

C) I'm calling bullshit.

 

Too many "security researches" claim they find shit but it's just a bunch of lies with stuff like the iPhone 10.

[Guest]

Microsoft really need to face up to this.

[Shadestones]

I hope this is fixable. I understand the convenience behind things like Windows Hello and Face ID, but at the cost of security is it really more convenient?