Facial Recognition Hacking: Can You Trick Windows Hello with a Photo?
Criminals can steal your password, but they can’t steal your face. Or can they?
Earlier this week, Andre showed us how to set up Windows Hello so you can sign in to Windows 10 using your face. Reading that post, it made me think of two things immediately.
First, was Adele.
Next, was Space Quest III: The Pirates of Pestulon.
Space Quest was made by Sierra in the late 80s, but it’s set in the distant future in space. In the final chapter of the game, the hero Roger Wilco has to infiltrate the enemy base to rescue two game developers who have been imprisoned in lime Jello. Part of the plot involves foiling an access door that’s protected by a facial scanner. The solution? Hold up a color photo to the machine when it goes to authenticate your face.
In the game, this works perfectly. Which made me wonder:
Can you hack Windows Hello with a photograph?
Fortunately, Microsoft has had over two decades to work on this vulnerability that brought down the villains of ScumSoft.
You see, there’s a reason that you can’t use Windows Hello with just any old computer using any old camera. Windows Hello-supported devices use two cameras to create a 3D image of your face. It also uses infrared as part of its facial analysis. The infrared helps in low light situations, but most of all, it prevents spoofing with a cold, flat paper photo.
In this technical article on Windows Hello from Microsoft, you can see the infrared in action:
Or the lack of infrared action on a photo:
The answer to the question of whether or not you can trick Windows Hello with something as primitive as a color photograph is “no.” Some people have suggested that you could use a 3D model of someone’s face to trick the camera, but then you’re left with the infrared challenge. So, I guess you could maybe microwave it a little bit and then…ah, forget it, just go hack someone else’s computer.
Conclusion: You Can’t Trick Microsoft Hello with a Picture
If you need further proof, watch Sean Ong on YouTube. He tries to unlock his Windows 10 PC with a photo and fails.
So, there you have it. If only the Pirates of Pestulon would’ve implemented infrared technology. Then ScumSoft may have gotten away with its evil plot after all.
What about a test wearing a Jack Busch, over the head, look alike (probably rubber) mask?
As soon as someone makes one of those, I’ll give it a shot.
This is untrue. My friends used a photo of me to access my PC first try. Maybe they got lucky but they definitely got in.
I would have to agree with Stephen on this one. I found this article in a Google search. My kid just consistently unlocked my 2017 Surface Pro no less than 20 times using a 4×6 photograph of my mounted in a frame. Not sure if the glass over the photo had an impact or what, but it has reliably unlocked the Surface Pro every time he tried it. I even tried re-recording my face to see if that helped, but the photo is unlocking the PC every time he tries it. I’ve had to disable it to keep him off the device.
Great feedback Gary – Hopefully Microsoft is paying attention. Will be curious to see if Apple can do any better now that facial recognition is the primary way to unlock an iPhone 10 now.