Microsoft has addressed a security feature bypass vulnerability in the Windows Hello authentication biometrics-based tech, letting threat actors spoof a target’s identity and trick the face recognition mechanism into giving them access to the system.
According to Microsft, the number of Windows 10 customers using Windows Hello to sign in to their devices instead of a password grew from 69.4% to 84.7% during 2019.
Exploitation requires physical access
As discovered by CyberArk Labs security researchers, attackers can create custom USB devices that Windows Hello will work with to completely circumvent Windows Hello’s facial recognition mechanism using a single valid IR (infrared) frame of the target.
Tsarfati reported the Windows Hello vulnerability tracked as CVE-2021-34466 and rated as Important severity to Microsoft in March.
Based on Microsoft’s assessment of the security vulnerability, unauthenticated adversaries require physical access to the target’s device to exploit it in high complexity attacks.
“The vulnerability allows an attacker with physical access to the device to manipulate the authentication process by capturing or recreating a photo of the target’s face and subsequently plugging in a custom-made USB device to inject the spoofed images to the authenticating host,” security researcher Omer Tsarfati explained.
“We have no evidence that this attack has been used in the wild, but it could be used by a motivated attacker to target a researcher, scientist, journalist, activist or privileged user with sensitive IP on their device, for example.”
Some Windows Hello users protected from attacks
Microsoft has released Windows 10 security updates to address the CVE-2021-34466 Windows Hello Security Feature Bypass Vulnerability as part of the July 2021 Patch Tuesday.
According to Redmond, Windows Hello customers with biometric sensor hardware and drivers with support for Enhanced Sign-in Security are not exposed to attacks abusing this security flaw.
“Customers with Windows Hello Enhanced Sign-in Security are protected against such attacks which tamper with the biometrics pipeline,” Microsoft said in a statement.
“Enhanced Sign-in Security is a new security feature in Windows which requires specialized hardware, drivers, and firmware that are pre-installed on the system by device manufacturers in the factory.”
“Please contact your device manufacturers for the state of Enhanced Sign-in Security on your device,” the company added.
CyberArk Labs concluded their report on the CVE-2021-34466 vulnerability saying that, although Enhanced Sign-in Security with compatible hardware restricts the attack surface, this highly depends on what cameras the targets are using.
The CyberArk Labs researchers will present their findings at Black Hat 2021 on August 4-5, 2021.
Further technical information on how the researchers bypassed Windows Hello’s authentication mechanism can be found in CyberArk Labs’ report.