The vulnerability was announced by German pentest outfit Syss at Full Disclosure.
Even if you’ve installed the fixed versions that shipped in October – builds 1703 or 1709 – facial recognition has to be set up from scratch to make it resistant to the attack.
The “simple spoofing attacks” described in the post are all variations on using a “modified printed photo of an authorised user” (a frontal photo, naturally) so an attacker can log into a locked Windows 10 system.
On vulnerable versions, both the default config, and Windows Hello with its “enhanced anti-spoofing” feature enabled, Syss claimed.
“If ‘enhanced anti-spoofing’ is enabled, depending on the targeted Windows 10 version, a slightly different modified photo with other attributes has to be used, but the additional effort for an attacker is negligible.”
The researchers tested their attack against a Dell Latitude running Windows 10 Pro, build 1703; and a Microsoft Surface Pro running 4 build 1607.
They tried to change the Surface Pro’s config to “enhanced anti-spoofing”, but claimed its “LilBit USB IR camera only supported the default configuration and could not be used with the more secure face recognition settings.”
The researchers published three proof-of-concept videos, below. ®