CyberArk Labs has released a new investigation into a critical vulnerability in Windows Hello. This enables attackers to bypass face recognition on the target device. The vulnerability is listed as CVE-2021-34466 and has a severity of 5.7 according to CVSS.has already included it in the Patch Tuesday release.
CyberArk Labs are the research team that discovered the sophisticated GoldenSAML technology used by the attackers on SolarWinds to carry out one of the most costly supply chain attacks of all time. According to the new investigation, the proof of concept (POC) to bypass facial recognition during authentication could have similar effects on targeted espionage activities around the world.
Microsoft has developed two versions of Windows Hello: one for home users and a corporate version called Windows Hello for Business (WHfB). Windows Hello was introduced in 2015 and makes authentication as easy as looking at your computer screen. In addition, it enables passwordless authentication in Windows environments with native support.
As expected, the main differences between the consumer and enterprise versions are in how they are used, the implementations, and the environment in which they work. For example, Windows Hello for Home is aimed at individuals / entertainment devices, that is, home users. In contrast, WHfB is aimed at companies and companies that use any Active Directory and want to implement a passwordless solution.
According to Microsoft, 85% of Windows 10 users use Windows Hello for passwordless authentication. The Labs team found a way to manipulate the security behind the face recognition mechanism Windows Hello uses via a custom built USB camera and a photo of the target person. Although the researchers’ focus was on Windows Hello, the POC has implications for any authentication system that uses a third-party attachable USB camera as a biometric sensor.
As the research shows, this type of attack is extremely relevant for targeted espionage – when the target of the attack is known and there is physical access to a device. This would have a major impact on researchers, scientists, journalists, activists and other users with IP or confidential data on their devices.
The attack vector works like this: capturing the image of a victim, storing the captured images, outputting them to a USB camera device, and finally sending these images to the system for review. The core of this vulnerability is that Windows Hello allows external data sources that can be manipulated as a basis of trust.
Windows Hello facial recognition authentication requires a standard camera that supports RGB and infrared (IR). This type of camera has two separate sensors that work together as a USB device. Only the images from the IR camera will be processed during the authentication process.
With this understanding, an attacker would have to implement a USB camera that supports RGB and IR images. This USB device then only has to send real IR frames of the victim in order to bypass the login phase, while the RGB frames can contain anything. In the CyberArk Labs experiment, the researchers were able to bypass Windows Hello authentication with images of Spongebob using RGB.
Statement from Omer Tsarfati, Security Researcher at CyberArk Labs and Author:
“Based on our initial tests to fix the vulnerability, using Enhanced Sign-in Security with compatible hardware limits the attack surface, but is dependent on users using certain cameras. The system-inherent security risk of implicitly trusting peripheral devices remains. To mitigate this inherent security problem, the host should validate the integrity of the biometric authentication device before trusting it. “