Windows Hello, a new face scanning security feature in Windows 10, has been defeated with the use of a printed out picture. ZDNet reports that security researchers from German firm SYSS have defeated Windows Hello on Windows 10 machines running older versions of the operating system. Multiple versions of Windows 10 are affected, and a number of different hardware.
SYSS tested Microsoft’s own Surface Pro 4 device running last year’s Windows 10 Anniversary Update, and found it was vulnerable. Even Microsoft’s anti-spoofing feature of Windows Hello didn’t help protect systems running older versions of Windows 10. SYSS found that if the anti-spoofing feature is disabled on the Creators Update (released earlier this year) or Fall Creators Update (released in October) then you can still bypass Windows Hello. Many modern laptops do not support the anti-spoofing feature of Windows Hello, so devices are still vulnerable even with the latest Windows updates.
Even applying the latest Windows 10 Fall Creators Update, that fixes the exploit if anti-spoofing is enabled, might not be enough to block the attack. Windows 10 users who previously set up Windows Hello on an older version of Windows 10 (like the Anniversary Update last year) will still be vulnerable. Security researchers are recommending that Windows 10 users with Windows Hello enabled go back into settings and setup the facial recognition again, and also ensure that anti-spoofing is enabled if a device supports it.
This type of attack does require a printed picture of the authenticated user with an infrared camera, so it’s not exactly easy to complete successfully. We’ve seen similar spoofing attacks for Samsung’s Galaxy S8 facial scanner which required far less sophisticated images. The Verge has reached out to Microsoft for comment on SYSS’ findings, and we’ll update you accordingly.
Update, 9AM ET: Article updated to make it clearer that some devices do not support the anti-spoofing feature of Windows Hello.