Windows Hello login bypassed via infrared photo

Sicherheit (Pexels, allgemeine Nutzung)[German]Security researchers from CyberArk have managed to trick Windows 10's Hello login (also included in Windows 11) in terms of logging in via facial recognition. All they needed was an infrared photo of the face in question, used on a fake usb device acting as an IR camera. Here's some information on the facts of the matter.


Windows Hello login

Windows Hello is an operating system logon method supported from Windows 10 onwards. This can be done in Hello with a PIN, facial recognition or fingerprint. As part of setting up the fingerprint or facial recognition sign-in, users must set up a PIN so they can sign in with their PIN when in doubt.

According to Microsoft, these options are meant to make logging into a corresponding PC easier and more secure, as the PIN is only associated with one device and is backed up to your Microsoft account for recovery. Fingerprint and facial recognition also sound like more convenience and security. Whereas it is known from the past that these identification methods can be fooled.

The trick with the infrared photo

Unknown to many users, the Hello login can apply infrared images of a person for authentication in addition to a webcam for facial recognition. Security researchers from CyberArk have taken advantage of this, as I can see from the following tweet.

Windows Hello Infrared bypass

Catalin Cimpanu has summarized the facts in this article. In a nutshell: CyberArk security researcher Omer Tsarfati discovered that Windows 10 Hello not only enables facial recognition from webcams, but also supports signals from infrared-enabled webcams.


Then, in early 2021, Omer Tsarfati conducted various tests. He was surprised to find that infrared evaluation of a face is not equivalent to face recognition with normal (RGB) cameras. While Windows Hello expects a moving face with a normal webcam, this is not the case with the verification process for infrared input.

Tsarfati managed to use a "malicious usb device" with an infrared profile of his face, that mimics an infrared camera, and submittet this infrared photo of his face to Windows 10. The static infrared image from the fake usb device was recognized and Windows Hello granted access to a locked device. The vulnerability is not that dramatic now, since the attacker must have access to a device. But then he could connect a fake infrared camera and attempt a login using an infrared photo of an infrared profile/photo of another person.

According to Tsarfati, Microsoft has fixed this vulnerability CVE-2021-34466 with the July 13, 2021 security updates. Windows 10 users who use this feature of Windows Hello for passwordless authentication are advised to install the latest security updates.

Cookies helps to fund this blog: Cookie settings

This entry was posted in Security, Windows and tagged , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *