Printed photos can fool Windows 10’s Hello face authentication

Windows 10’s facial authentication system might be able to tell the difference between you and your twin, but it could apparently be fooled with a photo of your face. According to researchers from German security firm SySS, systems running previous versions of the platform can be unlocked with a printed photo of your face taken with a near-infrared (IR) camera. The researchers conducted their experiments on various Windows 10 versions and computers, including a Dell Latitude and a Surface Pro 4.

The spoof isn’t exactly easy to pull off — someone who wants to access your system will have quite a bit of preparation ahead of them. In some cases, the researchers had to take additional measures to spoof the systems, such as placing tape over the camera. Not to mention, they needed high-quality printouts of users’ photos clearly showing a close-up, frontal view of their faces.

Still, the researchers said the technique can successfully unlock computers and even released three videos showing it in action, which you can watch below. Somebody determined enough to break into your system could do so (they could scour your Facebook account for high-res photos they can modify, for instance), and your best bet is downloading and installing the Windows 10 Fall Creators Update. Simply installing the update isn’t enough, though: your system will still be vulnerable. The researchers said you’ll have to set up Windows Hello’s facial authentication from scratch and enable the new enhanced anti-spoofing feature to make sure you’re fully protected.

It’s not just Microsoft’s technology that has vulnerabilities, though. Its fellow tech titans, Apple and Samsung, are also having trouble with their authentication systems. A German hacking group found that the S8’s iris scanner can be spoofed using a photo of the user with contact lens on top, while another group of security researchers said they found a way to fool iPhone X’s face scanning system with masks.

Via: ZDNet, The Verge

Source: SySS

Engadget RSS Feed