A security researcher from CyberArk Labs uncovered a flaw in the Windows 10 Hello facial recognition system that allows an attacker to circumvent authentication by using a faked image.
Windows Hello is a biometric authentication system that uses facial recognition, fingerprints, or a PIN to log users in. According to Microsoft, 85% of users use the system to restrict access to their computers.
According to Omer Tsarfati, the vulnerability affects both the consumer and business versions of Microsoft Windows Hello (WHfB).
He released a proof-of-concept video illustrating how they were able to overcome Windows Hello authentication by transmitting infrared picture frames via a homemade USB device.
Windows Hello biometric authentication vulnerability requires physical access and a pluggable device
To exploit the weakness, an attacker needs physical access to the Windows 10 device, according to the researcher.
The attackers then use a custom-made USB device to record and reconstruct the person’s face before injecting the faked image into the targeted device.
The researcher wrote: “To verify this, we did an experiment in which we created a custom USB device that acts as a USB camera with IR and RGB sensors, for this purpose, we used an evaluation board manufactured by NXP. With this new custom USB camera, we transmitted valid IR frames of our “target person,” while the RGB frames we sent were images of SpongeBob, and to our surprise, it worked!”
The study cited Microsoft’s statement that “humans tend to seem significantly different in a Near IR image vs. RGB image (Color image).” They also mentioned that USB devices could be cloned to look like others, and that IR images could be made from color images.
An attacker will need a USB camera that can capture both RGB and IR images. To pass authentication, they simply need to submit one real IR image.
They could do this by converting an RGB frame to an IR frame. Tsarfati speculated that the flaw may be expanded to other biometric authentication systems that use pluggable third-party USB cameras as the biometric sensor.
Through the inserted camera, which operates as an external data source, a threat actor can modify the input and deceive the operating system.
Microsoft mitigation does not fully address Windows Hello vulnerability
On July 13, 2021, Patch Tuesday, Microsoft published a patch to solve the Windows Hello biometric authentication vulnerability, as well as other issues including PrintNightmare.
Microsoft also pushed the Enhanced Sign-in Security feature of Windows Hello.
The system requires Trusted Platform Module 2.0 and Virtualization Based Security, as well as specialized pre-installed hardware, drivers, and firmware (VBS).
The researcher, on the other hand, thought Microsoft’s response to the insecure Windows Hello biometric authentication was lacking. He emphasized that relying on compatible hardware simply narrowed the attack surface, not eliminating the need for trustworthy input peripheral devices.