Windows Hello bypassed using infrared image
Catalin Cimpanu July 18, 2021

Windows Hello bypassed using infrared image

Windows Hello bypassed using infrared image

Researchers from security firm CyberArk bypassed Windows Hello, the biometrics authentication system included with all Windows 10 versions, using just an infrared image of the device’s owner.

Discovered by CyberArk security researcher Omer Tsarfati, the vulnerability resided in Windows Hello’s facial recognition feature, and more specifically, in how Windows Hello processed data from USB-connected webcams.

While most users are aware that they could use a webcam to authenticate on a Windows 10 computer using their face, Tsarfati discovered that Windows Hello also supported infrared-capable webcam input.

The CybarArk researcher discovered that the video input verification process for infrared input was not sufficient or on par with the one for normal (RGB) cameras.

In tests performed earlier this year, Tsarfati found that an attacker could connect a malicious USB device designed to mimic a USB webcam to a Windows 10 computer and then use it to feed an infrared image of the device owner’s face.

While under normal circumstances, an attacker would not be able to feed a static image to Windows Hello, these same rules did not apply to the infrared input, with the CyberArk researcher successfully bypassing the authentication process and gaining access to a locked Windows 10 device.

Physical access would be required to abuse this attack vector, but Tsarfati said that Microsoft has fixed this vulnerability, tracked as CVE-2021-34466, earlier this week, as part of the July 2021 Patch Tuesday security updates.

Windows 10 users, especially those in enterprise devices where passwordless authentication is often enabled, are encouraged to apply the latest security updates.

A video of Tsarfati’s Windows Hello bypass is available here, while a technical write-up is available on the CyberArk blog.

Tsarfati is also scheduled to present his findings at the Black Hat USA 2021 security conference at the start of August.

Catalin Cimpanu is a cybersecurity reporter for The Record. He previously worked at ZDNet and Bleeping Computer, where he became a well-known name in the industry for his constant scoops on new vulnerabilities, cyberattacks, and law enforcement actions against hackers.