The Windows 10 facial recognition system was tricked by a printed out photograph, raising concerns among users on the security of Microsoft's current operating system.
The incident is similar to previous reports on the facial recognition feature of the Samsung Galaxy S8 fooled by a photo and Apple's Face ID for the iPhone X beaten by a $150 mask.
Windows Hello Tricked With Printed Photo
Researchers from German security firm SYSS discovered a Windows 10 vulnerability that allowed attackers to trick the operating system's facial recognition feature, known as Windows Hello, using a printed out photograph.
In the report published by SYSS, researchers Philipp Buchegger and Matthias Deeg said that Windows Hello may be tricked using printed photos of the authorized user. The pictures will need to meet certain requirements, though, namely that the images should be captured with a near-infrared camera, show a frontal view of the person's face, edited to adjust brightness and contrast, and printed using a laser printer.
The near-infrared camera for taking the photograph of the target person is a key component of the attack. This is because Windows Hello also uses near-infrared imaging for unlocking Windows 10 devices, as the technology works in poor lighting conditions and is rarely used to take pictures.
The attack requires special equipment and image modifications, but SYSS showed through proof-of-concept videos that it really works. The researchers were able to unlock a Dell Latitude laptop with an attached LilBit camera and a Surface Pro 4 using the method.
The researchers found that the trick worked on older versions of Windows, even when the anti-spoofing mode of Windows Hello was enabled on the machines. Newer builds of Windows 10 detected that a trick was being used when the anti-spoofing feature is activated, and turning it off will allow Windows Hello to be tricked by the picture.
How To Prevent Windows 10 Facial Recognition Security Breach
The researchers were able to carry out the attack successfully on Windows 10 devices that had not yet installed the Fall Creators Update, which Microsoft rolled out in October.
Windows 10 device owners who often use Windows Hello are not automatically protected just by installing the update and enabling the anti-spoofing feature, though. For users who previously set up the facial recognition system on older versions of Windows 10, they will be required to again go through the process of setting up Windows Hello to safeguard themselves and their devices from the discovered vulnerability.