Skip to main content

Researchers bypassed Windows Hello, but you probably don't have to worry

Surface Laptop 3 15
Surface Laptop 3 15 (Image credit: Windows Central)

What you need to know

  • Researchers found a vulnerability that allows attackers to bypass Windows Hello facial recognition.
  • Attacking through the vulnerability requires a person to have an IR image of a target, physical access to a target device, and a specialized piece of USB hardware.
  • There's no evidence that this vulnerability has been taken advantage of in the wild.

A group of researchers from CyberArk Labs managed to bypass Windows Hello using a recently discovered vulnerability. CyberArk refers to the vulnerability as a "design flaw" that lets an attacker bypass Windows Hello facial recognition.

In practice, this vulnerability probably isn't much of a concern for most people. In order to take advantage of it, an attacker would need to have an IR image of a target's face, physical access to a potential victim's PC, and have a specialized piece of USB hardware.

Cyberark doesn't have any evidence of attackers taking advantage of the vulnerability in the wild. This new research on Windows Hello focuses on Windows Hello for Business, but CyberArk notes that "potentially any authentication system that allows a pluggable third-party USB camera to act as biometric sensor could be susceptible to this attack without proper mitigation." It adds, however, that it has "not performed practical tests to verify this."

Cameras that support Windows Hello have two sensors, an RGB sensor for visible images and an IR sensor. According to CyberArk, Windows Hello only processes the IR camera frames during the authentication process.

CyberArk was able to bypass Windows Hello by creating a custom piece of USB hardware that transmitted IR frames of a target. Research found that only a single IR frame is required to get around Windows Hello, though an additional frame is needed, which can just be a black frame.

"To summarize what we've learned so far: We have seen that an attacker can create a custom-made USB device that Windows Hello will work with," said CyberArk. "The attacker controls the data that comes from this device. With only one valid IR frame of the target, the adversary can bypass the facial recognition mechanism of Windows Hello, resulting in a complete authentication bypass and potential access to all the victim's sensitive assets."

Microsoft shared a mitigation for the vulnerability (opens in new tab) on July 13, 2021. CyberArk will present its findings at Black Hat 2021 on August 4-5, 2021.

Sean Endicott
Sean Endicott

Sean Endicott is the news writer for Windows Central. If it runs Windows, is made by Microsoft, or has anything to do with either, he's on it. Sean's been with Windows Central since 2017 and is also our resident app expert. If you have a news tip or an app to review, hit him up at sean.endicott@futurenet.com.

5 Comments
  • No, it isn't that big of a concern for most people. But if you are subject to a criminal investigation, this could be used to get into your computer without the police every needing to ask for your password, something you currently are legally allowed to deny providing.
  • They'd still have to get an IR image of your face, which may not be possible without consent.
  • Also, it's as easy as pointing a gun to your head and forcing you to unlock a device, if it comes to it, lol
  • thanks for the tinfoil hat angle, every thread needs one
  • In other news, finger print and facial recognition security was defeated by amputation and decapitation.