Earlier this week, Andre showed us how to set up Windows Hello so you can sign in to Windows 10 using your face. Reading that post, it made me think of two things immediately.
First, was Adele.
Next, was Space Quest III: The Pirates of Pestulon.
Space Quest was made by Sierra in the late 80s, but it’s set in the distant future in space. In the final chapter of the game, the hero Roger Wilco has to infiltrate the enemy base to rescue two game developers who have been imprisoned in lime Jello. Part of the plot involves foiling an access door that’s protected by a facial scanner. The solution? Hold up a color photo to the machine when it goes to authenticate your face.
In the game, this works perfectly. Which made me wonder:
Can you hack Windows Hello with a photograph?
Fortunately, Microsoft has had over two decades to work on this vulnerability that brought down the villains of ScumSoft.
You see, there’s a reason that you can’t use Windows Hello with just any old computer using any old camera. Windows Hello-supported devices use two cameras to create a 3D image of your face. It also uses infrared as part of its facial analysis. The infrared helps in low light situations, but most of all, it prevents spoofing with a cold, flat paper photo.
In this technical article on Windows Hello from Microsoft, you can see the infrared in action:
Or the lack of infrared action on a photo:
The answer to the question of whether or not you can trick Windows Hello with something as primitive as a color photograph is “no.” Some people have suggested that you could use a 3D model of someone’s face to trick the camera, but then you’re left with the infrared challenge. So, I guess you could maybe microwave it a little bit and then…ah, forget it, just go hack someone else’s computer.
Conclusion: You Can’t Trick Microsoft Hello with a Picture
If you need further proof, watch Sean Ong on YouTube. He tries to unlock his Windows 10 PC with a photo and fails.
So, there you have it. If only the Pirates of Pestulon would’ve implemented infrared technology. Then ScumSoft may have gotten away with its evil plot after all.