back to article Windows 10 Hello face recognition can be fooled with photos

If you've skipped recent Windows 10 Creators Updates, here's a reason to change your mind: its facial recognition security feature, Hello, can be spoofed with a photograph. The vulnerability was announced by German pentest outfit Syss at Full Disclosure. Even if you've installed the fixed versions that shipped in October – …

  1. Anonymous Coward
    Windows

    About face

    I'm wondering about the type of user that would consider relying on face recognition instead of a password. Could it be they're already totally pwned?

    1. Andrew 51

      Re: About face

      I'm wondering about the kind of user who would imagine that typing a password on a tablet screen was a secure way to authenticate themselves.

      The risk factors are hardly trivial to compare.

    2. Charles 9

      Re: About face

      Or could it be they just have a VERY poor memory for passwords, such that even "correcthorsebatterystaple" easily becomes "donkeyenginepaperclipwrong" or the like?

  2. Anonymous Coward
    Anonymous Coward

    If only there was some other way to log into a computer or device that only the person logging in could supply like a password or a pass code backed up by another device that only they should have access too but would be useless without the other information.

    Surely there must be someone out there that could create this sort of system?

    1. Doctor Syntax Silver badge

      "backed up by another device that only they should have access to"

      How does the user authenticate themselves on that other device?

      1. John Robson Silver badge

        >How does the user authenticate themselves on that other device?

        You don't - but without that device (we're quite good at keeping physical objects, like phones, keys and cash secure) *and* something you know... then you don't get in.

        1. Charles 9

          "(we're quite good at keeping physical objects, like phones, keys and cash secure)"

          ORLY? I've lost count of the number of times I've heard of lost keys and wallets or found the same lying around in the middle of nowhere.

          1. John Robson Silver badge

            "ORLY? I've lost count of the number of times I've heard of lost keys and wallets or found the same lying around in the middle of nowhere."

            Yes - we genuinely are quite good at keeping things safe.

            And of course if you find a secureID token, or one of those debit card based versions...

            You still don't have the 'other' factor.

            2FA does nothing for the man standing behind you with a lead pipe... but it does make systems much less vulnerable to simple hacks.

            1. Charles 9

              "And of course if you find a secureID token, or one of those debit card based versions...

              You still don't have the 'other' factor."

              Unless, of course, you're actually one of the "lead pipe" types, which are actually a lot closer than you think. Plus there's the ability to pwn the machine while the second factor's already entered, again a lot more frequent than you think. Instead of targeting the second factor, simply look outside the envelope for a point where it MUST be interactive, much like you get past encryption by waiting for a point where the information MUST be decrypted.

        2. bigfeet555

          "Other device"

          I hope the "other device" fits on a key ring".

      2. Anonymous Coward
        Anonymous Coward

        "How does the user authenticate themselves on that other device?"

        They authenticate when they set up the password otherwise you would ask how do they set the password then the whole trust mechanism fails as the person setting it up could be anyone.

  3. Anonymous Coward
    Anonymous Coward

    I think as it stands face recognition is pretty useless however I'm wondering that even if they perfected it with a 100% success rate which sci-fi race would it be the most useless for. I'm going to throw the cyclons and daleks in the hat.

    1. Not also known as SC

      Didn't the latest model of Dalek have a bar code on their cases? I think the Blob would be far more challenging or the mind creature from Forbidden Planet.

      1. Anonymous Coward
        Anonymous Coward

        I forgot the cybermen. They would be perfect

        Cyberman 1: I have unlocked the cyber controllers phone.

        Cyberman 2: Excellent

        Cyberman 1: Upgrading is Compulsary

        Cyberman 2: You will be upgraded

        Cyber Controller: Oh Shit, Delete! IoS 11 is not compatible.

        Cybermen - Good baddies, rubbish at jokes.

    2. TRT Silver badge

      Star Wars clone troopers?

  4. wallaby

    Simple fact of modern life, people will shout about protection of their assets til they are blue in the face, but when it comes down to it the simple act of typing a password or fishing out the challenge response device and using it is all far too onerous for them.

    Face recognition, contactless pay, cheap fingerprint readers........

    Use them - you deserve what you get.

    1. Charles 9

      So if they have a poor head for passwords, all you can tell them is, "You're simply screwed. Just give up and bend over."?

  5. Hans 1
    FAIL

    They tried to change the Surface Pro's config to “enhanced anti-spoofing”, but claimed its “LilBit USB IR camera only supported the default configuration and could not be used with the more secure face recognition settings.”

    Voila, they ship cheap camera with their pricy kit.

  6. MarkElmes

    Well I have Windows Hello set up on my surface book and it's rapid and very useful - far quicker and more reliable recognition than my Samsung S8+. To be honest if someone has physical access to your machine then you can count it pwned anyway so I don't see the issue here.

    1. Paul Crawford Silver badge

      "To be honest if someone has physical access to your machine then you can count it pwned anyway so I don't see the issue here."

      There is a difference between 'having physical access' in the sense of time and privacy to open a machine to extract the HDD and/or modify it to inset keylogger or run some sort of DMA attack via Thunderbolt ports, etc, and 'having physical access' as in popping in to an office with a sheet of paper when you have gone to the toilet.

      1. Anonymous Coward
        Anonymous Coward

        Wait a minute - it can be spoofed by skid marks on toilet paper?

        1. Anonymous Coward
          Anonymous Coward

          That's shit.

          1. TRT Silver badge

            Wipe to login.

    2. GruntyMcPugh Silver badge

      Physical Access

      "To be honest if someone has physical access to your machine then you can count it pwned anyway so I don't see the issue here."

      Ahem, Bitlocker.

  7. N2
    Facepalm

    Testing?

    I suppose all that nonsense was abandoned long ago...

    1. Charles 9

      Re: Testing?

      Yes. A little something called DEADLINES. That and the fact the number of configuration combinations is simply too great to test.

  8. Sil

    This article is too sensationalist, its title should be "Windows 10 Hello face recognition can be fooled by photos under easily fixable conditions".

    It absolutely not like the FaceID or the facelol Samsung Iris recognition which are truly jokes and pwnable under all circumstances.

    1. ThomH

      No, it's worse than FaceID because no matter how fantastic of a job Microsoft does, some PC manufacturer will save $0.10 by putting the cheapest piece of garbage camera in that their supplier happens to have a warehouse full of.

      That's why nobody has yet managed to fool FaceID with a mere photograph, whereas as per this very article people are able to fool Windows 10 Hello with a mere photograph everywhere that a "[whatever brand] USB IR camera ... could not be used with the more secure face recognition settings".

  9. cambsukguy

    Can it be done with a regular photo?

    Like the kind people leave lying around on social media.

    Or, does it need a specific, near-IR photo taken with a special camera?

    Because, if so, don't let someone take a face-on picture of you with a 'funny-looking' camera.

    I do wonder if the proper Iris-recognition system of the Lumia 950 has been defeated because it works well enough, perhaps they should have the extra hardware on the Surface at least.

  10. Dinsdale247

    Next Step

    This is not face recognition. They measure features on a persons face and compare that to a previous record. It recognizes distances between points (and is probably a fuzzy match).

    Find out what points of the persons face the algorithm is measuring and you don't even need a real picture to fool the system.

    Plug in a usb device that claims it's a camera and start throwing patterns at the login subsystem.

    Fun stuff.

  11. sloshnmosh

    "Plug in a usb device that claims it's a camera and start throwing patterns at the login subsystem."

    Upvoted because I love a good USB HID hack

  12. Jin

    More important is the trade-off between false acceptance and false rejection

    Hacking by photos, masks and brothers are minor issues. Even if perfected to be fake-proof, biometrics will remain insecure due to inherent trade-off between False Acceptance and False Rejection.

    Two entrances placed in parallel in case false rejection provide nice convenience to criminals. This is what we witness in so many biometrics products in cyberspace

  13. bigfeet555

    oops!

    Don't worry. You'll be able to download a patch in a year or two.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like