Researchers bypassed Windows Hello, but you probably don't have to worry

Surface Laptop 3 15
Surface Laptop 3 15 (Image credit: Windows Central)

What you need to know

  • Researchers found a vulnerability that allows attackers to bypass Windows Hello facial recognition.
  • Attacking through the vulnerability requires a person to have an IR image of a target, physical access to a target device, and a specialized piece of USB hardware.
  • There's no evidence that this vulnerability has been taken advantage of in the wild.

A group of researchers from CyberArk Labs managed to bypass Windows Hello using a recently discovered vulnerability. CyberArk refers to the vulnerability as a "design flaw" that lets an attacker bypass Windows Hello facial recognition.

In practice, this vulnerability probably isn't much of a concern for most people. In order to take advantage of it, an attacker would need to have an IR image of a target's face, physical access to a potential victim's PC, and have a specialized piece of USB hardware.

Cyberark doesn't have any evidence of attackers taking advantage of the vulnerability in the wild. This new research on Windows Hello focuses on Windows Hello for Business, but CyberArk notes that "potentially any authentication system that allows a pluggable third-party USB camera to act as biometric sensor could be susceptible to this attack without proper mitigation." It adds, however, that it has "not performed practical tests to verify this."

Cameras that support Windows Hello have two sensors, an RGB sensor for visible images and an IR sensor. According to CyberArk, Windows Hello only processes the IR camera frames during the authentication process.

CyberArk was able to bypass Windows Hello by creating a custom piece of USB hardware that transmitted IR frames of a target. Research found that only a single IR frame is required to get around Windows Hello, though an additional frame is needed, which can just be a black frame.

"To summarize what we've learned so far: We have seen that an attacker can create a custom-made USB device that Windows Hello will work with," said CyberArk. "The attacker controls the data that comes from this device. With only one valid IR frame of the target, the adversary can bypass the facial recognition mechanism of Windows Hello, resulting in a complete authentication bypass and potential access to all the victim's sensitive assets."

Microsoft shared a mitigation for the vulnerability (opens in new tab) on July 13, 2021. CyberArk will present its findings at Black Hat 2021 on August 4-5, 2021.

Sean Endicott
News Writer and apps editor

Sean Endicott brings nearly a decade of experience covering Microsoft and Windows news to Windows Central. He joined our team in 2017 as an app reviewer and now heads up our day-to-day news coverage. If you have a news tip or an app to review, hit him up at sean.endicott@futurenet.com (opens in new tab).

5 Comments
  • No, it isn't that big of a concern for most people. But if you are subject to a criminal investigation, this could be used to get into your computer without the police every needing to ask for your password, something you currently are legally allowed to deny providing.
  • They'd still have to get an IR image of your face, which may not be possible without consent.
  • Also, it's as easy as pointing a gun to your head and forcing you to unlock a device, if it comes to it, lol
  • thanks for the tinfoil hat angle, every thread needs one
  • In other news, finger print and facial recognition security was defeated by amputation and decapitation.