Windows Hello

Windows Hello is the new bio-metric security feature introduced in Windows 10. Available on all Windows 10 devices if coupled with the right hardware, Windows Hello was supposed to be super secure. However, for the first time, it has been outsmarted by using just a photo.

A group of security researchers from SySS GmbH has found the hack using a specially prepared photo. As spotted first by Dr. Windows, the researchers first created a specially prepared photo using the following method,

  1. The frontal face photo was taken of the person
  2. It was taken with a near-infrared camera
  3. The brightness and contrast were adjusted using image processing
  4. The photo was printed with a laser printed

The researchers observed that the hack worked on Windows 10 based PCs by holding the photo close to the camera. The good news is that the hack doesn’t work on PCs running Windows 10 versions 1703 and above. That means, computers running the Creators and the Fall Creators Update are safe. There’s a special “Anti-spoofing feature” in versions 1703 and 1709, which when enabled(by default), prevents the attack.

The hack was tested on the Microsoft Surface Pro 4 and Dell Latitude E7470 and it worked on Windows 10 builds except versions 1703 and 1709. The researchers strongly urged the users to upgrade their PCs to the latest builds and published a security advisory. Microsoft have acknowledged the issue but hasn’t issued a patch till now.

The researchers have released the videos demoing the hack and you can view them here,

While there have been numerous attempts to fool Windows Hello before, this is the first time it has been achieved. Whats more, the hack has just been achieved by using a photo. While most PCs will be safe, we deeply urge users to update their PCs to the latest builds.

The researchers will reveal more about the hack in spring 2018. The full details about the hack is available here for you to read.