an infrared photo and a video frame were enough for them

Biometric authentication is a key part of the tech industry’s plans to remove passwords around the world. But a new method to bypass Microsoft’s Windows Hello facial recognition system shows that a little hardware manipulation can trick the system into unlocking when it shouldn’t. Indeed, CyberArk researchers tricked Windows Hello, the Windows 10 and Windows 11 built-in passwordless authentication system, by using a single infrared image accompanied by a video frame. Windows Hello includes three authentication methods: a user-generated PIN, a fingerprint scanner, and a facial recognition tool. CyberArk researchers specifically targeted its facial recognition capabilities, but problems were also found in other aspects of the system.

Services like Apple’s FaceID have made facial recognition authentication more common in recent years, and Windows Hello has taken the adoption even further. Apple only allows FaceID to be used with cameras built into recent iPhones and iPads, and this service is still not supported on Macs. But since Windows hardware is so diverse, Hello facial recognition works with a whole host of third-party webcams. Where some might see ease of adoption, however, researchers at security firm CyberArk saw potential vulnerability. This is because you can’t trust an old webcam to offer solid protections in the way it collects and transmits data. Windows Hello facial recognition only works with webcams equipped with an infrared sensor in addition to the RGB color sensor. But the system, in fact, does not even look at the RGB data. This means that with a direct infrared image of a target’s face and a black frame, the researchers found that they could unlock the victim’s device protected by Windows Hello.

Process: the researchers connected a prototyping board to a PC via USB. This masquerades as a webcam and sends two static images (a black image + an infrared photo of the user). Windows hello takes the set for the user and unlocks. We tried to find the weak point of facial recognition and what would be the most interesting from an attacker’s point of view, the most approachable option. We created a complete map of the Windows Hello facial recognition flow and saw that the most convenient for an attacker would be to pretend to be the camera, because the whole system relies on that input, explains Omer Tsarfati, researcher at the company. CyberArk security.

Microsoft calls the discovery a “Windows Hello Security Bypass Vulnerability” and released patches last Tuesday to address the issue. In addition, the company suggests that users enable “Windows Hello Enhanced Login Security,” which uses Microsoft’s “virtualization-based security” to encrypt Windows Hello face data and process it in a safe area. protected memory where they cannot be altered.

Tsarfati, who will present his findings next month at the Black Hat Security Conference in Las Vegas, says the CyberArk team chose to look at Windows Hello’s facial recognition authentication, in particular, because so much research There have already been industry-wide initiatives on PIN code hacking and fingerprint sensor spoofing. He adds that the team has been drawn to the large user base of Windows Hello. In May 2020, Microsoft said the service had more than 150 million users. In December, the company added that 84.7% of Windows 10 users sign in with Windows Hello.

Although it seems simple (show the system two photos and you are accepted) these Windows Hello workarounds would not be easy to achieve in practice. Hacking requires attackers to have a good quality infrared image of the target’s face and to have physical access to their device. But the concept is important, as Microsoft continues to drive the adoption of Hello with Windows 11. The diversity of hardware among Windows devices and the dismal state of IoT security could combine to create other vulnerabilities in the world. how Windows Hello accepts face data. A truly motivated attacker could do these things. Microsoft has been great to work with and has produced mitigations, but the deeper problem in itself, regarding trust between the computer and the camera, remains present, Tsarfati said.

There are different ways of taking and processing images for facial recognition. Apple’s FaceID technology, for example, only works with TrueDepth camera networks, an infrared camera combines a number of other sensors. But Apple is able to control both the hardware and the software of its devices in a way that Microsoft does not have for the Windows ecosystem. The Windows Hello Face setup information simply says Sign in with your PC’s infrared camera or an external infrared camera.

Marc Rogers, longtime biometric sensor security researcher and vice president of cybersecurity at digital identity management company Okta, believes Microsoft should make it clear to users which third-party webcams are certified as offering strong protections for Windows. Hello. Users can still decide if they want to buy one of these products rather than any old infrared webcam, but specific guidelines and recommendations would help people understand the options.

CyberArk’s research is part of a larger category of hacks known as “decommissioning attacks”, in which a device is brought into a less secure mode, such as a malicious mobile phone tower that forces your phone to use 3G mobile data, with its weaker defenses, instead of 4G. An attack aimed at getting Windows Hello to accept static and pre-registered facial data uses the same principle, and researchers overthrew Windows Hello’s facial recognition before making the system accept photos using different techniques. According to Rogers, it is surprising that Microsoft did not anticipate the possibility of attacks against third-party cameras like the one designed by CyberArk.

Source : CyberArk, Microsoft

And you ?

What do you think of passwordless authentication? Does it guarantee more security than the password?
Have you ever used any of Microsoft’s password alternatives? If yes which one ? What is your feedback?

See as well :

Microsoft plans to end password in 2021 to rely on new authentication methods like Windows Hello, Microsoft Authenticator, and Biometric

Yubico and Microsoft Announce General Availability of Passwordless Login for All Azure Active Directory (Azure AD) Users Thanks to Yubikey with FIDO2 Protocol

Windows 11 will require new laptops to have a front camera in 2023

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.