Windows 10 Face Recognition Can Be Fooled with a Photo

Security researchers from the German company SySS GmbH have discovered a vulnerability in the Windows Hello face recognition feature for Windows 10. The experts were able to trick the system and unlock a device using a specially processed and printed photograph.

Windows Hello is an exclusive feature for Windows 10 that uses infrared imaging for authentication and unlocking devices equipped with an infrared sensor camera. The feature has not become widespread, as there are not many devices with the required hardware.

How the Attack Works

According to the researchers, the system can be fooled with a photo of the device owner’s face, after first modifying the image to match the necessary IR spectrum and then printing it on a laser printer at low resolution (340 × 340 pixels).

The experts managed to carry out the attack even with the “enhanced anti-spoofing” feature enabled, although for this they had to use a higher resolution photo (480 × 480 pixels).

The researchers also succeeded in bypassing the feature using a black-and-white photo, after covering the infrared sensor with opaque tape.

Microsoft’s Response

Microsoft has released patches to fix the vulnerability in Windows 10 versions 1703 and 1709.

Video Demonstration

A video demonstrating the attack is available from the researchers.