Security researchers have managed to fool Windows Hello. They managed to get around Microsoft’s facial recognition security by building their own USB device. It was supposed to mimic a webcam and contained infrared images of the owner.
The traditional way of logging in with a username and password is becoming less and less popular every day. Either the method will be supplemented with two-factor authentication, or give way to biometric security. In the latter case, you protect your equipment and data with your own characteristics, such as a fingerprint, iris scan, facial profile or voice. The idea behind this is that you no longer have to remember passwords and that your body characteristics are unique, so they are very difficult or impossible to imitate. There are no two identical fingerprints or facial contours.
Smartphones have had biometric security for years. The fingerprint scanner is perhaps the best-known example of this. And the technology continues to evolve. The optical fingerprint scanner – in which a small sensor under the screen lights up to register the profile of a finger – is increasingly being replaced by an ultrasonic scanner. In the latter variant, ultrasonic sound waves bounce off your finger and this reflection is compared with the stored profile of your fingerprint. Techniques such as facial recognition and iris scanners are also getting better and more and more new biometric security methods are being developed (voice biometrics, palm recognition, blood flow in your veins).
Microsoft has long offered its own form of biometric security: Windows Hello. This is an authentication system that the American hardware and software company uses on its PCs. A family with several family members has the option of creating their own profile and protecting it from, for example, a fingerprint or facial recognition. This way dad knows for sure that sensitive company information is safely locked up and junior can play endlessly. According to Microsoft, 85 per cent of Windows 10 users use Windows Hello.
Windows Hello sounds safe and familiar, but it may be less secure than Microsoft makes it out to be. CyberArk security specialists have been investigating possible vulnerabilities in the authentication system in recent months. They have found a method to bypass Windows Hello facial recognition.
“The vulnerability allows an attacker with physical access to the device to manipulate the authentication process by taking (or imitating) a photo of the target’s face and then plugging in a custom USB device to inject fake images into the authenticating host,” writes security expert Omer Tsarfati.
He says there is no indication that hackers and cybercriminals have managed to circumvent Microsoft’s facial protection in this way. “But a motivated attacker could use it, for example, to attack a researcher, scientist, journalist, activist or privileged user with sensitive intellectual property on their device.”
Windows Hello facial recognition requires a standard camera that supports RGB and infrared (IR). During the investigation, they found out that only infrared frames were processed by the system during the authentication process. To confirm this, the researchers made a self-manufactured USB device with an evaluation board from NXP. With the device, they sent valid infrared frames from the Windows Hello user and RGB frames from the cartoon character Spongebob Squarepants. The software recognized the USB device as a webcam, bypassing Windows Hello facial recognition.
This vulnerability in Windows Hello was disclosed to Microsoft on March 23. At the end of April, the American hardware and software company acknowledged that this was a security problem that had to be solved. Microsoft spoke to CyberArk’s security experts to come up with a solution. In early July, the issue got its own CVE code, CVE-2021-34466 . On July 13, Microsoft rolled out a security update that fixes the vulnerability.
Catch up on more articles here
Follow us on Twitter here