Windows Hello Bypass Fools Biometrics Safeguards in PCs

silversurfer

Level 75
Verified
Trusted
Content Creator
Malware Hunter
Aug 17, 2014
6,431
A vulnerability in Microsoft’s Windows 10 password-free authentication system has been uncovered that could allow an attacker to spoof an image of a person’s face to trick the facial-recognition system and take control of a device.

Windows Hello is a feature in Windows 10 that allows users to authenticate themselves without a password, using a PIN code or biometric identity—either a fingerprint or facial recognition—to access a device or machine. According to Microsoft, about 85 percent of Windows 10 users use the system.

The Windows Hello bypass vulnerability, tracked as CVE-2021-34466, requires an attacker to have physical access to a device to exploit it, according to researchers at CyberArk Labs who discovered the flaw in March.

From there, they can go on “to manipulate the authentication process by capturing or recreating a photo of the target’s face and subsequently plugging in a custom-made USB device to inject the spoofed images to the authenticating host,” Omer Tsarfati, cybersecurity researcher at CyberArk Labs, wrote in a report about the vulnerability published Tuesday.

Further, exploitation of the bypass can extend beyond Windows Hello systems to “any authentication system that allows a pluggable third-party USB camera to act as biometric sensor,” Tsarfati noted.

Researchers have no evidence that anyone has tried or used the attack in the wild, but someone with motive could potentially use it on a targeted victim, such as “a researcher, scientist, journalist, activist or privileged user with sensitive IP on their device, for example,” according to the analysis.
Microsoft addressed the vulnerability — which affects both consumer and business versions of the feature — in its July Patch Tuesday update, so users should apply the update to avoid being affected.
 
F

ForgottenSeer 85179

Microsoft provide already since years an Anti-Spoofing group policy for Hello biometric.

Don’t know why it’s not enabled by default. Typical Microsoft compatibility pattern I guess
 

upnorth

Moderator
Verified
Staff member
Malware Hunter
Jul 27, 2015
4,444
Biometrics in general always had major security issues and problems, no matter what company/vendor. The posted article is another sad proof of that. It might very well seem smooth and fast for users, but it's also the same many times for thieves/crooks. The good part in this case is, the discovered vulnerability is now patched.

Microsoft btw, needs to enable other parts by default and should have done so ages ago. Hide known file extensions by default, is a sure way to help users get easier infected.
 

Gandalf_The_Grey

Level 50
Verified
Trusted
Content Creator
Apr 24, 2016
3,987
Biometrics in general always had major security issues and problems, no matter what company/vendor. The posted article is another sad proof of that. It might very well seem smooth and fast for users, but it's also the same many times for thieves/crooks. The good part in this case is, the discovered vulnerability is now patched.

Microsoft btw, needs to enable other parts by default and should have done so ages ago. Hide known file extensions by default, is a sure way to help users get easier infected.
Windows 11 ?
 

Gandalf_The_Grey

Level 50
Verified
Trusted
Content Creator
Apr 24, 2016
3,987
While i agree mostly with you, it exists one exception:
FaceID from Apple.

It's the only biometric solution which is secure.
It was not completely secure in the past, first Google hit:
It's not impossible by any means, but it does require a sleeping or unconscious victim who happens to have an iPhone protected with FaceID and who won't wake up when you are stuffing a pair of specs onto their face.
 

CyberTech

Level 36
Verified
Nov 10, 2017
2,511
Security researchers have shown how they were able to bypass Windows 10's Windows Hello biometric authentication with just a single infrared frame of the target.

Researchers at security firm Cyber Ark have detailed the Windows Hello authentication bypass and how an attacker could exploit it.

The attack is quite elaborate and would require planning, including being able to acquire an infrared (IR) image of the target's face and building a custom USB device, such as a USB web camera, that will work with Windows Hello. The attack exploits how Windows 10 treats these USB devices and would require the attacker to have gained physical access to the target PC.

But with those pieces in place, an attacker could gain access to sensitive information on the target's Windows 10 PC – and potentially information stored in Microsoft 365 cloud services.

"With only one valid IR frame of the target, the adversary can bypass the facial recognition mechanism of Windows Hello, resulting in a complete authentication bypass and potential access to all the victim's sensitive assets," Cyber Ark researcher Omer Tsarfati explained in a blogpost.

The rest
 

Local Host

Level 24
Verified
Sep 26, 2017
1,325
How did you remove online Windows account password without access to the account like email/ 2FA itself?
You said well Windows account password, not Microsoft account password.

Windows stores the password locally, else you wouldn't even be able to login on the PC when not connected to the Internet.

So you can remove and replace the password like any other, you can't get the password per se since it's encrypted.

This actually caused issues in safe mode, ever since Microsoft implemented Windows Hello on Setup, as the password set on the account wasn't your Microsoft Account password (which is why Microsoft implemented Windows Hello in Safe Mode too).
 
  • Like
Reactions: harlan4096
Top