Microsoft has released a new security patch to address a major vulnerability in the Windows Hello authentication system. The flaw allows hackers to bypass the Windows Hello system using custom USB cameras, and was first uncovered by CyberArk Labs back in March.
Windows Hello is a passwordless authentication system that allows people to use face or fingerprint recognition to unlock a Windows device, or to log into various digital applications. In most cases, that utility is delivered through a built-in camera or fingerprint sensor, which sends the user’s biometric information to the Windows operating system for authentication.
Fraudsters can spoof Windows Hello if they can find a way to manipulate that biometric information, or the sensor used to collect it. Thankfully, it is relatively difficult to do so when that sensor comes built-in, and is fully integrated into the design of the device.
The problem, according to CyberArk, comes from the fact that Windows Hello allows people to use third-party plug-in devices instead of those built-in sensors. A separate USB camera is much easier to manipulate, and can be modified to send a spoof tailored to a specific device. For example, a hacker could pull a photo of their target off the internet, and then use their custom USB camera to send that photo to the Windows OS to bypass Windows Hello entirely.
The hack is difficult to execute at scale, largely because the attacker needs to have direct physical access to the target device in order to pull it off. However, it would be highly effective against high-profile targets, since the hacker could use a photo to complete the spoof. In that case, they would not need to beat a password or obtain any other secrets, and could instead rely on public (and readily available) information.
For its part, CyberArk completed an attack using an accurate infrared image of its target, even though that IR image was paired with RGB frames of SpongeBob SquarePants. The firm notified Microsoft about the vulnerability (which is why the tech giant was able to push an update), but warned that the patch may not fully address the problem, which stems from the fact that the system implicitly trusts peripheral devices. To close the gap, the company would need a way to confirm the integrity of those peripherals before accepting data transmitted from them.
CyberArk acknowledged that the Patch is a security improvement. The exploit works against both the consumer and enterprise versions of Windows Hello, though it does not work against those who use the Windows Hello Enhanced Sign-in Security feature, which requires specialized hardware, drivers, and firmware. As it stands, roughly 85 percent of Windows 10 users currently take advantage of Windows Hello for authentication.
July 14, 2021 – by Eric Weiss