Researchers have shown that it is possible to spoof and get through the Windows Hello facial recognition system used for passwordless logins on personal computers.
A vulnerability in Microsoft’s Windows 10 password-free authentication system has been uncovered that could allow an attacker to spoof an image of a person’s face to trick the facial recognition system and take control of a device.
Windows Hello uses infrared and red-green-blue (RGB) cameras to scan users’ faces and match the data obtained against a password hash for authentication.
Windows Hello is a feature in Windows 10 that allows users to authenticate themselves without a password, using a PIN code or biometric identity—either a fingerprint or facial recognition—to access a device or machine. According to Microsoft, about 85 percent of Windows 10 users use the system.
By using a single captured infrared frame and a cloned USB device, researchers at security vendor CyberArk were then able to spoof a user’s visage and gain access to a PC running Windows Hello for Business for logins.
The Windows Hello bypass vulnerability, tracked as CVE-2021-34466, requires an attacker to have physical access to a device to exploit it, according to researchers at CyberArk Labs who discovered the flaw in March.
CyberArk believes it is possible to create infrared frames through regular color images as well, through automated filters and machine learning algorithms.
Researchers have no evidence that anyone has tried or used the attack in the wild, but someone with a motive could potentially use it on a targeted espionage victim, such as “a researcher, scientist, journalist, activist or privileged user with sensitive IP on their device, for example,” according to the analysis.
Microsoft issued a patch for the flaw today, applicable to supported versions of Windows 10 32-bit and 64-bit, and for ARM64-based systems.
CyberArk researchers posted a video of a proof-of-concept (PoC) for how to exploit the vulnerability, which can be used on both the consumer version, Windows Hello, and an enterprise version of the feature called Windows Hello for Business (WHfB) that businesses use with ActiveDirectory.
To mitigate against attacks that could bypass biometric user authentication, Microsoft suggests using Enhanced Sign-In Security.
To prove the concept, they created a custom USB device that acts as a USB camera with both infrared (IR) and Red Green Blue (RGB) sensors, using an evaluation board manufactured by NXP. They used this custom camera to transmit valid IR frames of the person they were targeting.
One of the good news for Windows Hello users is that people who use Windows Hello Enhanced Sign-in Security a new security feature in Windows are protected against attacks. But it requires specialized cameras, firmware, and hardware drivers to work.