Windows 10 Facial Recognition Feature Can Be Bypassed with a Photo

Windows Hello, the face scanning security feature in Windows 10, has been defeated with the use of a printed out picture. From a report: In a report published yesterday, German pen-testing company SySS GmbH says it discovered that Windows Hello is vulnerable to the simplest and most common attack against facial recognition biometrics software -- the doomsday scenario of using a printed photo of the device's owner. Researchers say that by using a laser color printout of a low-resolution (340x340 pixels) photo of the device owner's face, modified to the near IR spectrum, they were able to unlock several Windows devices where Windows Hello had been previously activated. The attack worked even if the "enhanced anti-spoofing" feature had been enabled in the Windows Hello settings panel, albeit for these attacks SySS researchers said they needed a photo of a higher resolution of 480x480 pixels (which in reality is still a low-resolution photo). [...] Microsoft released updates earlier this month to patch the vulnerability.

Missing step

What does "modified to the near infrared spectrum" mean?

My printer can't print "near infrared" or radio waves. It can't even print gamma rays.

Such a dumb idea!

[140Mandak262Jamuna]

Who comes up with such stupid ideas like using the camera and face detection as authentication method?

Re:Such a dumb idea!

[Anubis+IV]

How about everyone? After all, when was the last time you started a conversation with someone you know by asking someone to authenticate their identity, rather than recognizing who they were and talking to them like normal? These companies are attempting to mimic the way things work in reality, which, generally speaking, is a good thing...when it’s done right.

Re:Such a dumb idea!

[holophrastic]

Actually, in-person, we may use facial-recognition to *identify* a person, but never to authenticate their request. For that, we use a signature -- because no one can accidentally give their signature, and we all understand that my signature means you can act, everything else is merely conversation.

The problem here is that the digital facial recognition isn't being used to populate "Hello Jonathan". It's being used to accept commands like "reveal private information", "spend money", "install software", "delete everything".

In the digital world, we like to put the major security up-front (the login credentials), and then the brief security last-minute (the are you sure confirmation). In the real world, we use brief security (you're here to close your account?) at the start of the conversation, and the major security (sign this waiver) at the last minute.

That's because in the real world, getting past the front door gives you physical access, but doesn't really grant you control over anybody. Sure you can steal trinkets, but you can't command someone to do something.

The signature has two benefits. The first is as mentioned above -- we know it means "go". The second is that it is VERY illegal to forge someone else's signature. There are real consequences to that. So it's not something to worry about.

The awesome thing about a password (in theory, of course) is that no one can get it from you without your willingness to give it to them. It's not written anywhere, except in your head, and we've yet to figure a way to read someone's brain memory. Pick the right password, protect it properly, and you needn't worry.

My face, my fingerprints, my dna, my iris, are all scattered around the world, everytime I touch something, go somewhere, or look at something. That's why those things are so great for forensics -- it's very difficult to avoid leaving them as evidence.

Passwords (in theory) are far better. Come up with a type/method/system of password generation/management/transmission, and they'll be infinitely better than anything else imaginable.

Re:waiting for DNA sequencing authenetication

> spit into this tube to log into your computer
> you just know someone will try jack off into it

(oldie but goodie):

One day Bill complained to his friend that his elbow really hurt. His friend suggested that he go to a computer at the drug store that can diagnose anything quicker and cheaper than a doctor.

''Simply put in a sample of your urine and the computer will diagnose your problem and tell you what you can do about it. It only costs $10." Bill figured he had nothing to lose, so he filled a jar with a urine sample and went to the drug store. Finding the computer, he poured in the sample and deposited the $10. The computer started making some noise and various lights started flashing. After a brief pause out popped a small slip of paper on which was printed: "You have tennis elbow. Soak your arm in warm water. Avoid heavy lifting. It will be better in two weeks."

Later that evening while thinking how amazing this new technology was and how it would change medical science forever, he began to wonder if this machine could be fooled. He mixed together some tap water, a stool sample from his dog and urine samples from his wife and daughter. To top it off, he masturbated into the concoction. He went back to the drug store, located the machine, poured in the sample and deposited the $10. The computer again made the usual noise and printed out the following message:

"Your tap water is too hard. Get a water softener. Your dog has worms. Get him vitamins. Your daughter is using cocaine. Put her in a rehabilitation clinic. Your wife is pregnant with twin girls. They aren't yours. Get a lawyer. And if you don't stop jerking off, your tennis elbow will never get better."

Re:Is this really a surprise?

[phayes]

Simple means have been shown to be useful for simple biometrics. Simple means are of much less use when some thought is put into the sensors and how to use them.

The claim that FaceID is easily/cheaply bypassed can be laid to rest after a month where no-one other than the people from Bkav were able to duplicate it without resorting to using the passcode to train FaceID to recognize the 3D model.

As for being fingerprints, I've talked with some police forces lab techs who look for and scan crime scene fingerprints. The vast majority of liftable prints are from the balls of your fingers so don't use them for TouchID.

As anyone who has had their fingerprints taken for whatever reason knows, they only ask for the balls of your fingers though they often roll your fingers to get the sides too. What they rarely take is the ends of your fingers -- because with the exception of your dominant hand index, it is much less common that people leave them as usable prints.

By using just the tip of a a non-index finger for TouchID one it makes it much harder to gain that liftable print but still works fine with TouchID.

Even with people generally using the balls of their fingers with TouchID there have been zero reports of a lifted and duplicated print being used to bypass device security. If it were such a danger, one would expect there to have been at least a one story, but no.

As used in Space Quest III

[jellomizer]

I remember the 1989 Game Space Quest III one of the final puzzles before the action sequences for the end game. Was to wonder the cubes of a software company, being a janitor, cleaning the garbage in each cube you walked by. Working your way to the CEO office taking his ID Card, and on the way back going to the photocopier taking his portrait and make a color copy of it. Using his ID Card and the portrait to gain access to the End Game area. As there was a super advance card reader with a face scanner on it.
There were two more puzzle actions, pushing a button to extend a bridge, and using your trash vaporizer to free some software developers from their lime gelatin imprisonment. But those were rather easy.

With this explanation it is easy to tell the game didn't take itself too seriously. And this spoof of a software company was a jab at Microsoft calling it Scumsoft. and the CEO being a kid CEO as Bill gates was considered at the time.

The Face ID Apple has while not perfect seems to have done it better then anyone else. Because they are a hardware company first, they took a hardware approach to the problem, by adding an IR dot projection of your face to aid in matching. Vs. Microsoft and Google who took a software approach using existing hardware try to get a match.