A Windows Hello Authentication Bypass Vulnerability Was Fixed by Microsoft
The Authentication Bypass Vulnerability Was Able to Let Threat Actors Spoof A Target’s Identity by Tricking the Face Recognition Mechanism.
Windows Hello works by using infrared and red-green-blue (RGB) cameras in order to scan users’ faces. The feature then matches the data obtained against a password hash for authentication. The Windows Hello authentication bypass vulnerability was apparently able to let threat actors spoof a target’s identity.
The number of Windows 10 customers that are using Windows Hello in order to sign in to their devices instead of a password grew from 69.4% to 84.7% during 2019, according to data provided by Microsoft.
The researchers at CyberArk Labs discovered that attackers are able to create custom USB devices that Windows Hello will work with to completely circumvent Windows Hello’s facial recognition mechanism by using a single valid IR (infrared) frame of the target.
Omer Tsarfati was the one who reported the Windows Hello vulnerability tracked as CVE-2021-34466 and rated it as important severity to Microsoft back in March.
This year I’ll present on August 4-5 my latest research on how we managed to bypass Windows Hello facial recognition.https://t.co/Il7bWeGNUn
In the meantime, we published a new blog that contains everything you need to be prepared for our Blackhat sessionhttps://t.co/mGZuNPC6iJ pic.twitter.com/uqkWGERN62
— Omer Tsarfati (@OmerTsarfati) July 13, 2021
Microsoft assessed the security vulnerability and discovered that unauthenticated adversaries would require physical access to the target’s device to exploit it in high complexity attacks.
The vulnerability allows an attacker with physical access to the device to manipulate the authentication process by capturing or recreating a photo of the target’s face and subsequently plugging in a custom-made USB device to inject the spoofed images to the authenticating host.
We have no evidence that this attack has been used in the wild, but it could be used by a motivated attacker to target a researcher, scientist, journalist, activist or privileged user with sensitive IP on their device, for example.
Not All Windows Hello Users Were in Danger
A Windows 10 security update was recently released in an attempt to address the CVE-2021-34466 Windows Hello Security Feature Bypass Vulnerability as part of the July 2021 Patch Tuesday.
Fortunately, it looks like Windows Hello customers with biometric sensor hardware and drivers that have support for Enhanced Sign-in Security are not exposed to attacks abusing this security flaw.
Customers with Windows Hello Enhanced Sign-in Security are protected against such attacks which tamper with the biometrics pipeline.
Enhanced Sign-in Security is a new security feature in Windows which requires specialized hardware, drivers, and firmware that are pre-installed on the system by device manufacturers in the factory.
Please contact your device manufacturers for the state of Enhanced Sign-in Security on your device.
The researchers at CyberArk Labs said that although using the Enhanced Sign-in Security with compatible hardware can restrict the attack surface, this might be highly dependent on what cameras the targets are using.