Skip to main content

Bypassing Windows Face Recognition without being a Shapeshifter


Biometric authentication has seen rapid adoption by users all across the globe due to fewer security risks and faster response. A password less approach alleviates a diverse number of security risks. One of the most embraced password less authentication approaches is Windows Hello, which lets the user log in password less through pin code, fingerprint, or facial recognition. According to Microsoft around 84.7 percent of Windows 10 users use Hello to login into their systems. Each person has a unique biometric so without plastic surgery, it would be impossible to use someone else’s system with a biometric authentication enabled thus, making it one of the best security options or so was thought until recently.
CyberArk Labs research team has been exploring potential vulnerabilities in systems using Windows Hello to strengthen the future of biometric security. The result was the discovery of a security flaw with a CVE of 5.7 which allows a cyber attacker to bypass Windows Hello’s facial recognition using a simple USB camera. The attack’s approach is similar to what is shown in Tom Cruise’s famous Sci-fi movie Minority Report, where the criminal uses a USB device to clone an infrared image of the target’s face.
Windows Hello facial recognition only works on webcams with both RGB and infrared sensors, but the system does not read the actual RGB data. The reason facial recognition is considered more secure is it doesn’t require a password making it immune to brute force and phishing attacks. However, that is not entirely true in the background the password hash is used to unlock the device once the face in front of the camera matches that in the system’s database. The researcher’s at CyberArk said that on studying the working principle of Windows Hello facial recognition they concluded that the easiest possible way for an attacker to get access to the system is to impersonate the camera because the whole process is dependent on this input. An attacker having physical access can easily bypass Windows Hello by programming a USB webcam to deliver a pre-chosen image by the attacker to manipulate the system into thinking that the owner is present in front of the camera and authorizes unlocking. The attacker might capture or recreate an image of the victim’s face and injects the spoofed picture into the custom-made USB device. The attacker then connects the USB device to the victim’s system which transmits the spoofed infrared image to the system as authentication proof. Thus the attacker gains access to the victim’s system impersonated as the victim.
Although this was found in the research phase and there is no news of this attack being used to steal data this was a huge step forward in the security domain. Windows has already patched this vulnerability and released an update on July 13th. 


By: Mayukh Paul
    (Tech Intern, WCSF)


To stay updated about our blogs & news, please don't forget to "SUBSCRIBE" us.
To know more about us, please visit: https://www.worldcybersecurities.com/ 




Labels:

Comments

Post a Comment

Popular posts from this blog

UNESCO Guidelines on Generative AI in Schools

The advent of artificial intelligence has assumed prominence amongst all industries and various facets of people's personal lives. The integration of AI in education has been inevitable, given the significance and role of information, knowledge production and administration in the sector. This is especially so as its capabilities entail replicating higher-order thinking. Besides assisting in the education process, it also brings the element of real-life relevance, allowing education to be imparted against the backdrop of the evolving world due to the same AI. It tends to have implications on the subject matter that needs to be imparted, which tends to be something that constantly needs to answer the question of "Why and how is this particular subject matter relevant for learning?".  This induces policy-makers and educational institutions to rethink what they need to impart as knowledge, the area of matter, and the manner of thinking to be emphasised. This is because educa...
Post a Comment
Read more

Dark Web: Safe or unsafe? Truth Revealed!

  The dark web is the part of the internet that is not visible to search engines. With the advancement in technology, digitization has resulted in different types of attacks. We can talk to anyone as long as we have an internet connection. The main concern is with privacy and anonymity in mind.  A team of computer scientists and mathematicians working for one branch of the US navy which is known as the Naval Research laboratory (NRL), developed a new technology known as Onion Routing. It allows anonymous communication where the source and destination cannot be determined by the third party. A network using the Onion Routing technique is classified as Darknet. The NRL released the Onion Routing Technique and it became The Onion Router, also known as TOR. Advantages of Dark Web  Humans are allowed to hold privacy and express their views freely. Privacy is considered to be critical for honest persons through the different criminals and stalkers.  The growing tendency of...
5 comments
Read more

India's Cybersecurity Landscape: New Rules, Rising Threats, and Government Response

The recent interaction of the newly reappointed Union IT Minister with journalists has sparked significant interest within the IT Industry and among privacy enthusiasts. Ashwini Vaishnaw announced on June 15 that the MEITY will soon release the rules under the Digital Personal Data Protection (DPDP) Act, a development of immense significance for India's cybersecurity landscape. [1] 's Acts. It holds immense significance for the country, especially with the increasing number of internet users.  Of 2023 for public consultation. The rules hold immense significance for a country like India, with 751.5 million internet users at the commencement of 2024 [2] . With the continuous surge in internet usage across India, the volume of personal data shared online is also on the rise. This occurs either voluntarily, such as an individual providing personal information to a social media platform to access its services, or involuntarily, as a consequence of falling victim to a cybercrime inci...
Post a Comment
Read more