Microsoft fixes severe crash in Windows Hello biometrics

Third-party physical access to a computer could be blocked with a strong password, but this was not true if the Microsoft user opted for Windows Hello. A security hole would allow an attacker to circumvent the biometric lock by simulating the presence of the machine’s owner.

Windows 10’s passwordless authentication system, which uses facial recognition to unlock the computer, allowed an attacker to spoof a face frame sequence to trick the biometric system with a fake USB camera and take control of the device.

Registered as CVE-2021-34466 and discovered in March by researchers at CyberArk Labs, the flaw allowed them to manipulate the authentication process. According to Omer Tsarfati, responsible for the analysis, it was enough to capture or recreate a “target face” and then connect an adapted USB device to inject the fake images into the authentication host.

This caused Windows Hello to identify the face of the machine owner even if he was not present at the time and give access to the PC.

Adapted USB device simulates external USB camera in Windows Hello.
Adapted USB device simulates external USB camera in Windows Hello.Source: Disclosure / CyberArk

Windows Hello is a Windows 10 feature that allows users to unlock the PC without using a long default password, working with a PIN (short) code or biometric identity, whether it’s a fingerprint or facial recognition. According to Microsoft, about 85% of Windows 10 users use one of the three computer login options.

Flaw fixed, or nearly so

Microsoft claims it fixed the vulnerability in a July patch. But Tsarfati believes that a preliminary solution may not fully mitigate the risk and that the fix should focus on the USB device connected to the machine.

“To comprehensively mitigate this trust issue, the host must validate the integrity of the biometric authentication device before trusting it,” he said.

CyberArk has posted proof-of-concept videos that show how to exploit the flaw, which was also found in the enterprise version of Hello.

“It’s similar to stealing a password, but much more accessible because the data [do seu rosto] are out there. At the heart of this is the fact that Windows Hello allows external data sources [como vídeos]”, Explain.

Previous post Climate: effect of warming may be irreversible, UN report says
Next post Ypupiara lopai: meet the newly discovered Brazilian dinosaur