Microsoft issues advice after hackers bypass Windows Hello security
Security researchers have shown that it is possible to bypass the biometric security of Windows Hello. Using a fake web, the CyberArk Labs research team was able to fool the facial recognition component of Windows Hello to send infrared images.
Windows Hello requires a camera with RGB and IR sensors, but the security tool actually only uses IR imagery. Using a custom USB device, hackers can manipulate the stream of data that is sent, injecting IR imagery of an authorized user.
- Microsoft is shipping Windows 11 in dark mode by default
- China accused of large-scale Microsoft Exchange Server hack
- Investigation uncovers global abuse of Pegasus malware to spy on journalists, activists and more
CyberArk's Omer Tsarfati explains that it is relatively easy to obtain an IR image of a "target". This can be achieved either by using a dedicated IR camera to take a photograph from a distance, or by converting a regular RGB image into an IR one. Armed with this image and the necessary hardware, the hack is easily executed.
To verify this, we did an experiment in which we created a custom USB device that acts as a USB camera with IR and RGB sensors. For this purpose, we used an evaluation board manufactured by NXP. With this new custom USB camera, we transmitted valid IR frames of our “target person,” while the RGB frames we sent were images of SpongeBob, and to our surprise, it worked!
The researchers noted:
Apparently, we only need one IR frame and an entirely black frame. When we tried to send only one valid IR frame in the buffer, Windows Hello didn't accept our input as valid, but when we sent both the black frame and the proper IR frame, we got in. We think that there is a "Liveness" / anti-spoofing mechanism that looks for changes between every two frames that come in a row.
In his write-up, Omer Tsarfati notes that while there is currently no evidence that the vulnerability has been exploited, it is nonetheless an attack vector that exists:
The vulnerability allows an attacker with physical access to the device to manipulate the authentication process by capturing or recreating a photo of the target’s face and subsequently plugging in a custom-made USB device to inject the spoofed images to the authenticating host. We have no evidence that this attack has been used in the wild, but it could be used by a motivated attacker to target a researcher, scientist, journalist, activist or privileged user with sensitive IP on their device, for example.
Microsoft has responded to the findings, saying:
Microsoft released a security update on July 13 that mitigates this issue. For more information, please see CVE-2021-34466:
In addition, customers with Windows Hello Enhanced Sign-in Security are protected against such attacks which tamper with the biometrics pipeline.
Enhanced Sign-in Security is a new security feature in Windows which requires specialized hardware, drivers, and firmware that are pre-installed on the system by device manufacturers in the factory. Please contact your device manufacturers for the state of Enhanced Sign-in Security on your device.
CyberArk points out that the mitigation requires use of specific camera and says that its investigations will continue.
Full details of the findings, including a proof-of-concept video, are available over on the CyberArk website. The company says that it will give a presentation of its discovery at Black Hat 2021 on August 4-5, 2021.