Search the Community

After you update, set it up again from scratch If you've skipped recent Windows 10 Creators Updates, here's a reason to change your mind: its facial recognition security feature, Hello, can be spoofed with a photograph. The vulnerability was announced by German pentest outfit Syss at Full Disclosure. Even if you've installed the fixed versions that shipped in October – builds 1703 or 1709 – facial recognition has to be set up from scratch to make it resistant to the attack. The “simple spoofing attacks” described in the post are all variations on using a “modified printed photo of an authorised user” (a frontal photo, naturally) so an attacker can log into a locked Windows 10 system. On vulnerable versions, both the default config, and Windows Hello with its “enhanced anti-spoofing” feature enabled, Syss claimed. “If 'enhanced anti-spoofing' is enabled, depending on the targeted Windows 10 version, a slightly different modified photo with other attributes has to be used, but the additional effort for an attacker is negligible.” The researchers tested their attack against a Dell Latitude running Windows 10 Pro, build 1703; and a Microsoft Surface Pro running 4 build 1607. They tried to change the Surface Pro's config to “enhanced anti-spoofing”, but claimed its “LilBit USB IR camera only supported the default configuration and could not be used with the more secure face recognition settings.” The researchers published three proof-of-concept videos, below. ® Via theregister.co.uk