Near-infrared image trickery can allow an attacker to bypass Window 10 Hello face authentication.
Security researchers are urging Windows 10 users to update their systems to prevent attackers from using a printed headshot to bypass Windows Hello facial authentication.
Researchers from German pen-testing firm SYSS reported that Windows 10 systems that have not yet received the recent Fall Creators Update are vulnerable to a "simple spoofing attack using a modified printed photo of an authorized person". The attack works against multiple versions of Windows 10 and different hardware.The researchers tested the spoofing attack against a Dell Latitude with a LilBit USB camera and against a Surface Pro 4 running various versions of Windows 10, going back to the one of the first releases, version 1511.
SYSS claims the spoofing attack was successful on a Surface Pro 4 running version 1607 of Windows 10, the Anniversary Update rolled out in summer 2016, even with Microsoft's enhanced anti-spoofing enabled. However, the attack was only successful on version 1703, the Creators Update rolled out in Spring 2017, and 1709, the Fall Creators Update currently being rolled out, when anti-spoofing was disabled.
However, just applying the Fall Creators Update is not enough to block the spoofing attack, according to SYSS. To prevent a successful attack, users need to also setup Windows Hello face authentication from scratch after the update, as well as enabling anti-spoofing.
SYSS provided twovideos demonstrating its proof of concept attacks. A third video shows the attack on a Surface Pro that was updated to version 1709 without reconfiguring Hello face authentication.
A key element of the attack appears to be taking a headshot of the authenticated user with the near-infrared (IR) camera. Windows Hello uses near-IR imaging to unlock Windows devices. Microsoft chose near-IR imaging for authentication because it worked in poor lighting and offered some protection against spoofing attacks, since IR images aren't typically displayed in photos or on a screen.
SYSS printed out a modified version of the near-IR captured headshot in various resolutions and colors. Holding the printout up to a locked device's camera successfully unlocked it. Another method involved placing opaque sticky tape over the RGB camera lens and then holding the same printout up.
As far as the fix goes, SYSS notes that in its test only the Surface Pro 4 supported enhanced anti-spoofing while the LilBit USB IR camera did not.
The company plans to reveal further variations of its attack in spring 2018.
"According to our test results, the newer Windows 10 branches 1703 and 1709 are not vulnerable to the described spoofing attack by using a paper printout if the "enhanced anti-spoofing" feature is used with respective compatible hardware," SYSS wrote.
"Thus, concerning the use of Windows Hello face authentication, SYSS recommend updating the Windows 10 operating system to the latest revision of branch 1709, enabling the "enhanced anti-spoofing" feature, and reconfiguring Windows Hello face authentication afterwards."
Microsoft had not responded to a request for comment at the time of publication.
Simple spoofing attack works against multiple versions of Windows 10.Image: SYSS
Microsoft's Roslyn 'compiler as a service' inches forward Summary: Microsoft is now compiling internally its daily Visual Studio builds using its 'Roslyn' compiler technology. Could a new preview and/or final release be happening soon?Lets wait and see. Microsoft is internally dogfooding its "Roslyn" compiler as a service technology, and is compiling internal daily builds of Visual Studio using "Roslyn." That update, courtesy of a Microsoft December 16 blog post , is the first Microsoft has shared about its Roslyn technology in more than a year. Microsoft's Roslyn effort is about re-architecting the C# and VB compilers to support "compiler as a service" (CaaS) scenarios. Currently, a compiler is a black box; with Roslyn, Microsoft is working on opening it up so that all of the information processed via a compiler is available in application programming interface (API) form. Microsoft's most recent Roslyn desc...
Biometric smartphones to become mainstream in 2014, Ericsson says Summary: Following the release of the fingerprint sensor-enabled iPhone 5s, more smartphone makers could soon jump on the bandwagon, if Ericsson's predictions prove true. By the end of 2014, a wealth of new smartphones could come with biometric technology, such as fingerprint recognition hardware. In September, Apple released the iPhone 5s, which included a fingerprint reader , in the hope of bolstering security and improving usability. And other mobile makers, keen to jump on the biometric bandwagon, could soon embed the technology in their own devices. According to new research by mobile network maker Ericsson, which polled 100,000 people over 40 countries, about 74 percent of respondents said they believe biometric smartphones "will become mainstream" during 2014. More than half at 52 percent want to use their fingerprints instead of a complex alphanumeric combination of letters...
Summary: Intel outlines its plans to be the brains of the autonomous vehicle, but it'll have to duel with Qualcomm and NXP among others. Intel, best known for the processors behind PCs, servers and data center gear, now wants to be the brains behind autonomous vehicles. The chip giant at CES 2017 launched a new brand, Intel GO, that's designed for autonomous driving and aim to link cloud computing, connectivity and the car. To back up its efforts, Intel is launching t wo development kits to connect GO with Atom and Xeon processor s. Intel said its GO effort will provide the first 5G-ready development platform. The company also launched its 5G modem at CES. CNET's Stephen Shankland has the deep dive and the strategy details. As for partnerships, Intel is teaming up with BMW and Mobileye to have 40 autonomous vehicles on the roads by the second half of the year. Intel announced a partnership with BMW and Mobileye in July. The Intel moves come as the company boug...
Comments
Post a Comment