CyberArk Labs Security Researcher discovered a vulnerability in Windows 10 Hello facial recognition system that allows an attacker to bypass authentication using a spoofed image.
Windows Hello is a “more secure” biometric authentication system that allows users to log in using facial recognition, fingerprints, or PIN. Microsoft says that 85% of users utilize the system to limit access to their systems.
Omer Tsarfati said that the vulnerability affects both the Microsoft Windows Hello consumer version and Windows Hello for Business (WHfB).
He published a proof-of-concept video demonstrating how they bypassed the Windows Hello authentication using infrared image frames transmitted using a custom USB device.
Windows Hello biometric authentication vulnerability requires physical access and a pluggable device
The researcher noted that an attacker requires physical access to the Windows 10 device to exploit the flaw.
The attackers then capture and recreate the person’s face before injecting the spoofed image into the targeted device through a custom-made USB device.
“To verify this, we did an experiment in which we created a custom USB device that acts as a USB camera with IR and RGB sensors,” the researcher wrote. “For this purpose, we used an evaluation board manufactured by NXP. With this new custom USB camera, we transmitted valid IR frames of our “target person,” while the RGB frames we sent were images of SpongeBob, and to our surprise, it worked!”
The research referred to Microsoft’s disclosure “that people tend to look very different in a Near IR image vs. RGB image (Color image).” They also noted that USB devices could be cloned to look like others, while IR images could be generated out of regular color images.
An attacker requires a USB camera supporting both RGB and IR images. They only need to send a single genuine IR image to pass authentication.
They could achieve this by converting a regular RGB frame to IR. Tsarfati noted that the exploit could be extended to other authentication systems that allow biometric authentication using pluggable third-party USB cameras as the biometric sensor.
This condition allows a threat actor to manipulate the input and trick the operating system through the plugged camera that acts as an external data source.
“The sensor is a device that transmits information on which the OS, in particular Windows Hello, makes its authentication decision. Therefore, manipulating this information can lead to a potential bypass to the whole authentication system,” they wrote. The researcher noted that the vulnerable biometric authentication system was more insecure than a password because a person’s face was out there.
Microsoft mitigation does not fully address Windows Hello vulnerability
Microsoft released a patch to address the Windows Hello biometric authentication vulnerability on July 13, 2021, Patch Tuesday, alongside other bugs like PrintNightmare.
Microsoft also promoted the use of Windows Hello with Enhanced Sign-in Security feature. The system requires specialized pre-installed hardware, drivers, and firmware such as Trusted Platform Module 2.0 and Virtualization Based Security (VBS).
However, the researcher said that Microsoft’s approach to vulnerable Windows Hello biometric authentication was underwhelming. He pointed out that the reliance on compatible hardware only limited the attack surface but did not eliminate the reliance on trusted input peripheral devices.
“To mitigate this inherent trust issue more comprehensively, the host should validate the integrity of the biometric authentication device before trusting it,” he suggested.
Devices that do not allow biometric authentication with USB cameras, e.g. smartphones phones, are safer because attackers cannot directly inject electronically manipulated input.
The researcher noted that attackers had not exploited the vulnerability in the wild. However, it raises the stakes in a networked environment with Windows Hello for Business having access to the Active Directory.
“If you are being directly targeted, I can see this type of attack being concerning, but I don’t believe it is a critical issue for Windows users generally,” says Chris Clements, Vice President, Solutions Architecture, Cerberus Sentinel.
“The need for physical access to the device and a high enough quality infrared picture of the user is a fairly high bar for cybercriminals to use at scale. Contrast this with the risk of widespread compromise from the recent PrintNightmare vulnerabilities that can compromise Windows systems completely remotely with no user interaction at all,” Clements continued.
He advised high-risk users such as system administrators to disable Windows Hello facial recognition login feature.