Day: December 22, 2017

Security researchers at a German security firm, SySS, have shown that the Windows Hello facial recognition can be tricked by using specially prepared printouts of photographs. Microsoft added an “enhanced anti-spoofing” mode in the Windows 10 Creators Update earlier this year that properly defeats the attack, but it’s neither enabled by default nor compatible with all Windows Hello hardware.

The obvious question with any kind of facial recognition-based biometric authentication system is, how easily can it be tricked with a photograph? Since it’s easy to take a picture of someone’s face, often without them even knowing, a facial recognition system that can be fooled by a photo isn’t much use. The Windows Hello system has two main parts: there’s the physical hardware, which for Hello is a webcam with infrared illumination and detection, and the software algorithms, which are part of Microsoft’s Biometric Framework. With this design, Microsoft can refine and improve the algorithms, and the improvements should work for any compatible hardware.

Windows Hello’s infrared requirement should protect it from being spoofed by regular photos. So what the researchers from SySS did was use a photo taken with an infrared camera. This photo was then adjusted to change its contrast and brightness and printed at a low resolution on a laser printer. The resulting picture was successful at authenticating a user with Hello on two separate devices: a Surface Pro 4, using its integrated camera, and a laptop, using a discrete LilBit USB camera.

While the picture produced this way would not fool an RGB camera, it looks sufficiently close to what the infrared camera expects to see to allow the attacker to log on.

The Windows 10 Creators Update, version 1703, included a little-documented feature called “enhanced anti-spoofing.” Enabled by changing a registry key or Group Policy setting, the exact purpose or effect of this setting isn’t entirely clear. It appears that it integrates infrared and RGB data, making the infrared-only photo distinguishable from a real human. With this setting enabled, the picture was no longer effective.

However, this setting isn’t a panacea. As well as the awkwardness of enabling it—there’s no user interface for it, so modifying the registry is the only way to go—it’s not available for all Hello hardware, and there’s no obvious way of knowing if it will work or not. The cameras integrated into Microsoft’s Surface devices support enhanced anti-spoofing, but the LilBit that was tested doesn’t. We also haven’t seen compatibility with this feature disclosed on spec sheets, either for laptops or for standalone cameras. Additionally, even if compatible with your hardware, the setting isn’t enabled by default, at least for systems that were upgraded to Windows 10 1703.

Taken together, all this means that a security option that every Windows Hello user should want to enable probably isn’t turned on and may not even work.

Listing image by SySS

After rocketing to a high above $19,500 last Sunday, bitcoin’s price has been steadily dropping this week. Those losses accelerated overnight, with the cryptocurrency falling below $13,000.

Bitcoin’s losses come amid a broad cryptocurrency selloff. As of Friday morning, every major cryptocurrency was posting double-digit 24-hour losses. Ethereum is down 28 percent over the last 24 hours, Bitcoin Cash is down 37 percent, and Litecoin is down 32 percent.

To be fair, all of these currencies—like bitcoin—have seen massive gains in recent weeks. They’re all well above their value at the start of December, to say nothing of values earlier in the year.

But the broad-based blockchain slide comes as a growing chorus of experts warn that cryptocurrency valuations could be an unsustainable bubble. Yesterday, a beverage company called the Long Island Iced Tea Company renamed itself “Long Blockchain” and was rewarded somewhat hysterically with a nearly 3-fold increase in its stock price. This story, and others like it, has convinced some observers that we’re seeing a repeat of the 1990s technology boom.

One factor weighing on bitcoin in particular is the network’s skyrocketing transaction fees. Two weeks ago, the daily average fee to send a bitcoin transaction hit an all-time high of $26. This week, the network left that record in the dust, with the average fee on Thursday reaching more than $50.

Of course, bubble warnings have been common throughout the cryptocurrency boom of the last year, and bitcoin has had several double-digit crashes before. In each of these past cases, bitcoin recovered its value and zoomed to new heights. The big question is whether this time is different.