The Windows Hello facial recognition system in Windows 10 has been fooled by security researchers from Germany using nothing more than a printed picture. Researchers from the German pen-testing firm SYSS report that Windows 10 PCs that have not yet been updated to the Fall Creators Update are vulnerable to this “simple spoofing attack using a modified printed photo of an authorized person.” They were able to gain access using a printed photo on multiple versions of Windows 10 and different hardware.
The researchers tested this spoofing attack using a Dell Latitude machine and a LilBit USB camera. They also tested it on Microsoft’s Surface Pro 4 running multiple versions of Windows 10. They went as far back as version 1511 which was one of the first Windows 10 releases.
They also report that even enabling Microsoft’s anti-spoofing feature for Windows 10 on these older versions doesn’t help. The attack works when the anti-spoofing feature is disabled on the Creators Update as well as the Fall Creators Update.
In order to block the spoofing attack, users have to make sure that they’re running the Fall Creators Update. That’s not enough, though. They also have to setup Windows Hello facial recognition from scratch after updating and enable anti-spoofing.
Since most modern notebooks don’t support Windows Hello’s anti-spoofing feature, users may find that their devices remain vulnerable even if they’re on the latest update and have set up the feature from scratch.
Microsoft has not commented on this as yet. Best follow the security firm’s recommendations if you want to ensure that no one gains unauthorized access to your machine using Windows Hello.