Security researchers have found a way to bypass the Windows Hello facial recognition that is used by hundreds of thousands of Windows 10 users to login.
The latest batch of ‘Patch Tuesday’ security updates from Microsoft has landed with a hefty thump. With 116 vulnerabilities fixed, 12 of which were rated as critical and two already being exploited, the usual advice to install those updates as soon as possible applies. Not least as one of them fixes the PrintNightmare vulnerability in the Windows print spooler service that could lead to a remote takeover of your system.
However, the vulnerability that really caught my attention is one with the potential to impact a massive 85% of all Windows 10 consumers: a way for an attacker to bypass the Windows Hello facial recognition login authentication system.
Here’s what we know and what you need to do next.
The Windows 10 facial recognition vulnerability explained
Security researchers at CyberArk Labs have discovered a vulnerability within the Windows Hello facial authentication process, CVE-2021-34466, that could allow an attacker to gain access to a Windows 10 computer. Scary sounding stuff, but how worrying is this in a real-world setting for the average Windows 10 user?
Let’s start by looking at what the vulnerability is. The full technical explanation has been published on the CyberArk website but here’s the brief version. The Windows Hello facial recognition process requires a camera with two separate sensors, namely an infra-red and RGB one.
However, the researchers found that only the output from one of these, the infra-red images, was processed during authentication. Indeed, they replaced the RGB user image with that of SpongeBob to prove the point.
The vulnerability, then, being that an attacker would only need a single, valid, infra-red frame to bypass the system.
Complexity of exploitation lessens the impact considerably for most users
Well, sort of, and this is where the scariness starts to fade a little. The exploitation of the vulnerability is far from an easy process. For a start, the attacker needs that infra-red image of the user. The researchers say that this can be achieved by walking past someone, placing a camera in an elevator, etc. So already, this is starting to sound like a somewhat unlikely risk to the average user.
And it gets even more unlikely when you realise that even if the attacker got that infra-red image of your face, they would still require physical access to your computer for stage two.
Stage two is the insertion of a custom-built USB device that can then inject the spoofed image.
So, should Windows 10 users stop using Windows Hello authentication?
In an email addressing the vulnerability status, a CyberArk Labs spokesperson wrote that “the bypass would be of particular use to a criminal launching a targeted espionage attack, with targeted attacks having increased in popularity over the past three years as nation-states and organised groups realise their potential.”
This is true enough, but most Windows 10 users are not on the nation-state espionage radar. Moreover, even if they were, I suspect much easier methods that didn’t require physical access to a computer would be higher on the attack menu.
“When I see these sorts of announcements of security authentication bypass by either 3D printing, high-resolution digital photography or Tom Cruise descending on wires to ‘hack in,’ the hype machine is always deflated by the words requires physical access,” Ian Thornton-Trump, the chief information security officer at threat intelligence experts Cyjax, told me. “Mission Impossible operatives as a threat model aside, “Thornton-Trump concludes, “I think we can all rest comfortably on this issue.”
What does Microsoft have to say?
Microsoft has stated that “customers with Windows Hello Enhanced Sign-in Security are protected against such attacks which tamper with the biometrics pipeline.” As the name suggests, this is a more robust biometric system requiring factory-installed hardware and drivers for the computer.
You can see if this is enabled for you by opening the Windows Security app and heading for Device Security. Unfortunately, if there’s no Enhanced Sign-in Security section displayed, you don’t have it.
But don’t despair because Microsoft also stated that it “released a security update on July 13 that mitigates this issue.”
Tuesday, July 13, to be precise. Patch Tuesday. So, install those updates and don’t worry unduly about this one.
The Witcher’s Geralt of Rivia drops into Fortnite with his mate Doom Slayer
(Pocket-lint) – Fortnite has always been the king of the crossover and now it’s at it again with Chapter 4 Season 1 with Geralt and Doom Slayer making an appearance.
The next big thing in Fortnite is now live with Chapter 4 Season 1 getting an all-new map and a whole lot more. One of those things is a new character called Selene, available from the get-go. But things will get interesting for The Witcher fans come mid-season when Epic Games adds Geralt of Rivia as Battle Pass skin.
As always, the Battle Pass costs 950 V-Bucks and as you progress through you’ll unlock items and whatnot. Geralt will be unlocked via that Battle Pass, as will Doom Slayer – of DOOM fame, of course. Other unlockable skins include Massai, Dusty, Nezumi, Helsie, and The Ageless. The Geralt unlock won’t be available until later on in the season, Epic says.
The latest season includes plenty of other tweaks and treats and makes use of Unreal Engine 5.1, making this the best-looking version of Fortnite to date on PlayStation 5, Xbox Series X|S, and PC.
All of this will take place on a brand-new island with new points of interest that include The Citadel, Anvil Square, and Brutal Bastion.
The new season of Fortnite is up and running right now and you can get involved yourself. You can play Fortnite on just about anything right now and the download is of course free.
Writing by Oliver Haslam.
‘Elden Ring’ Reveals Free PvP Colosseum Update, Hopefully Ahead Of DLC Announcement
FromSoftware has just released a new trailer for an upcoming free update to Elden Ring that drops tomorrow, Wednesday December 7.
It’s a PvP-focused update to the game which will herd players into battles into the many colosseums doting the map, hence why it’s called the “Colosseum Update.” They just released a new trailer for it, which you can see below:
According to the official press release about the addition, we have some confirmation on what exactly the modes are that will be added:
“The Colosseums of Limgrave, Leyndell and Caelid will open their gates, allowing players to engage in battles such as duels, free-for-alls and team fights.”
In the trailer, we see a traditional 1v1 battle at the start, but it progresses to players fighting each other’s summons, and then finally a 3v3 team fight battle which is well beyond anything the game is currently capable of now.
Elden Ring has spent many months balancing all of its magic and weapon skills in an effort to try to create more parity in PvP, which has turned out to be a significant part of the game, and the core of the game’s endgame once you’ve done everything in PvE.
There is a theory that I personally subscribe to, that FromSoft is revealing this PvP update now and launching it tomorrow so it will not get drowned out by a potential announcement this Thursday at The Game Awards. There are rumblings, and fervent prayers, that this would be the stage in which they would finally announce sizable, PvE DLC for Elden Ring. We are well, well behind the pacing of past DLC announcements from FromSoft games, given that Elden Ring came out almost ten months ago now, but it’s obviously a bigger game than past ones. Elden Ring DLC repeatedly is brought up as the “World Premiere” at The Game Awards that everyone is hoping to see, and these days, with the demise of E3, it’s pretty much the biggest place in the industry to debut things, outside of first party PlayStation and Xbox showcases.
That’s the hope anyway, but the concrete facts right now are just that this PvP update will come tomorrow, so get your builds ready and find some teammates in order to take on the toughest PvP challenges in the game yet. Should be a lot of fun.
Witcher 3’s Free DLC Update Doesn’t Have A Switch Release Date Yet
Next week sees the arrival of The Witcher 3‘s “next-gen” update across multiple platforms, but new information suggests it won’t be coming to the Nintendo Switch on the same date.
Our friends at Eurogamer caught up with CD Projekt Red ahead of the free update’s release, and apparently, there’s “no specific release date yet” for the Nintendo Switch version of the game. All that’s known is it will arrive “later than 14th December”.
Witcher 3 next-gen update producer Ryu Underhill mentioned how the team was “working hard to bring it to [Switch] players” as soon as possible, and more information will be shared in the near future.
When the Switch version of this update does arrive, players can expect the “same fixes and additional content” as other platforms like Xbox One and PlayStation 4. The Switch will also receive cloud-save and cross-progression features, as well as the new Netflix DLC. This new quest will last for about “half-an-hour”, according to Eurogamer:
“…it’s about half-an-hour’s worth, plus a bit more for a follow-up step. It was flagged as level 15…”
Obviously, the Switch update will not include “next-gen features such as visuals/technical/gameplay improvements, modes” or “other additions” exclusive to next-generation platforms.
Via Eurogamer: “The Witcher Netflix DLC is a new scavenger hunt-style quest that takes place inside The Devil’s Pit in Velen. The Devil’s Pit is the place you find yourself immediately after leaving the starter zone of White Orchard. It’s that big, circular, wooden-fence-ringed place where nothing seems to actually happen. Currently, there are only some humanoid enemies in there, and the big door to the mine is closed. This DLC opens those doors.”
You can see more of this next-generation update in our previous Witcher 3 coverage:
Are you looking forward to trying out this update? Comment below.
Federal Court of Appeal uphold the rules that bolster compensation for air passengers subjected to delayed flights and damaged luggage
Daughters of murder victim call on feds to act in light of Winnipeg killings
Flu spread is starting to hit older adults
Silver investment demand jumped 12% in 2019
Iran anticipates renewed protests amid social media shutdown
Search for life on Mars accelerates as new bodies of water found below planet’s surface
Sports9 hours ago
Darnell Nurse sounds off on Edmonton Oilers slow starts after Stuart Skinner faces 50 shots
Art9 hours ago
Football and art come together in the first NFT exhibition of its kind
Tech23 hours ago
Witcher 3’s Free DLC Update Doesn’t Have A Switch Release Date Yet
Science21 hours ago
NASA capsule flies over Apollo landing sites, heads home
Sports22 hours ago
Christine Sinclair, Diana Matheson reveal pro Canadian women’s soccer league set for kickoff in 2025
Science10 hours ago
After lunar flyby, NASA’s Orion spacecraft is set to splashdown on Sunday
Media8 hours ago
Guelph drag queen sees all-ages shows targeted by social media campaigns
Politics10 hours ago
How Trump’s legacy became ‘pure poison’ for independents