Security researchers have shown how they were able to bypass Windows 10’s Windows Hello biometric authentication with just a single infrared frame of the target.
Researchers at security firm Cyber Ark have detailed the Windows Hello authentication bypass and how an attacker could exploit it.
The attack is quite elaborate and would require planning, including being able to acquire an infrared (IR) image of the target’s face and building a custom USB device, such as a USB web camera, that will work with Windows Hello. The attack exploits how Windows 10 treats these USB devices and would require the attacker to have gained physical access to the target PC.
SEE: Windows 10 Start menu hacks (TechRepublic Premium)
But with those pieces in place, an attacker could gain access to sensitive information on the target’s Windows 10 PC – and potentially information stored in Microsoft 365 cloud services.
“With only one valid IR frame of the target, the adversary can bypass the facial recognition mechanism of Windows Hello, resulting in a complete authentication bypass and potential access to all the victim’s sensitive assets,” Cyber Ark researcher Omer Tsarfati explained in a blogpost.
The attacker could capture an IR frame of the target or convert a regular RGB frame into an IR frame.
The apparent weakness lies in how Windows Hello processes “public” data, such as the image of the person’s face, from a USB device, so long as the device meets Windows Hello requirements that the camera has both IR and RGB sensors.
The researchers discovered that only the IR camera frames are processed during authentication, so an attacker just needs a valid IR frame to bypass Windows Hello authentication. The RGB frames can contain anything. During tests, Tsarfati used an RGB frame of SpongeBob and the bypass still worked.
Tsarfati argued it would be fairly simple to get an IR frame of the target. For example, walking by the person with an IR camera or placing it where the target will likely walk through, such as an elevator. The image could even be snapped at a distance with higher-end infrared sensors.
Tsarfati noted that Microsoft addressed the vulnerability last week and has tagged it as CVE-2021-34466.
SEE: Ransomware: Paying up won’t stop you from getting hit again, says cybersecurity chief
Microsoft said that the attacker would need physical access and that it is a complex attack to pull off. Microsoft noted it is an important patch to apply, but its description suggests it’s nothing an admin should lose sleep over.
“A successful attack depends on conditions beyond the attacker’s control. That is, a successful attack cannot be accomplished at will, but requires the attacker to invest in some measurable amount of effort in preparation or execution against the vulnerable component before a successful attack can be expected,” Microsoft noted.
“For example, a successful attack may require an attacker to: gather knowledge about the environment in which the vulnerable target/component exists; prepare the target environment to improve exploit reliability; or inject themselves into the logical network path between the target and the resource requested by the victim in order to read and/or modify network communications (e.g., a man in the middle attack).”