Omer Tsarfati, Cyber Security Researcher at CyberArk Labs, describes a flaw that allows hackers to bypass Windows Hello’s facial recognition
Biometric authentication is beginning to see rapid adoption across enterprises as they look to mitigate the numerous security risks which are inherent with password use.
That has led to the widespread adoption of password-less solutions, and one of the most widely adopted password-less authentication systems is Windows Hello. The system, which is used by 85% of Windows 10 users, enables login via pin code, fingerprint, or facial recognition.
Given the prevalence of Windows Hello, the CyberArk Labs research team explored potential weaknesses in the system in the aim of testing and strengthening the system, and biometric security more generally. This resulted in the discovery of a design flaw which allows adversaries to bypass Windows Hello’s facial recognition.
How the vulnerability works
The vulnerability allows an attacker with physical access to a device to manipulate the authentication process by capturing or recreating a photo of a target’s face. This involves the use of custom-made USB device to inject the spoofed images to the authenticating host so attackers can get into the system.
While there is no current evidence of this attack in the wild, it could be used by a motivated attacker looking to target or conduct espionage on a scientist, journalist, activist or privileged user with sensitive IP on their device.
It’s also important to note that while this research was specific to Windows Hello, potentially any authentication systems which allows a pluggable third-party USB camera to act as a biometric sensor could be susceptible to such an attack without proper mitigation.
The main feature of Windows Hello is biometric authentication. When deciding what part of the system to target, we surmised the biometric sensor was the weak link and could potentially expose the system to data manipulation attacks on the target user’s device. As the sensor transmits information on which the system makes its authentication decision, manipulating it can lead to a potential bypass of the whole authentication system.
Taking this to a facial recognition scenario, the biometric sensor is either a camera embedded in a device, or in the form of a USB device. Instead of using something that only you know to authenticate – a traditionally core principle of authentication – facial recognition takes ‘public’ information (your face) to log into the system.
This meant our research yielded an interesting attack vector for attackers to pursue: capture a victim’s image, save the captured frames, impersonate a USB camera device, and eventually send those frames to the system for verification.
Facial recognition spoofing
This leads to the next step: facial recognition spoofing.
Windows Hello only processes infra-red (IR) camera frames during the facial recognition process. With this understanding, an attacker needs to implement a USB that supports an RGB and IR camera. This USB device then only needs to send genuine IR frames of the victim to bypass the login phase.
There is an obvious issue that presents itself here, however: how does the attacker get a valid IR frame of the victim? The answer lies in two options; either capturing an IR frame of the victim, or converting one of the victim’s regular RGB frames to an IR one.
In short, an attacker can easily create a custom-made USB device that Windows Hello will work with. They then control the data coming from this device. With only one valid IR frame of the target, adversaries can bypass the facial recognition mechanism of Windows Hello, resulting in a complete authentication bypass and potential access to all the victim’s sensitive assets.
How to secure facial recognition?
Of course, for those looking to remain safe, changing their face via plastic surgery, or preventing an attacker from taking an image of them isn’t a feasible form of mitigation. Instead, based on our preliminary testing of the mitigation, using enhanced sign-in security with compatible hardware can limit the attack surface. It is however, dependent on users having specific cameras.
At the heart of this vulnerability lies the fact that Windows Hello allows external data sources, which can be manipulated, as a root of trust. To mitigate this inherent trust issue more comprehensively, the host should validate the integrity of the biometric authentication device before trusting it.
Finding a long-term resolution
This research reveals how a system which implicitly trusts input from peripheral devices – such as Windows Hello – can expose itself to inherent security weaknesses. This input, in some cases, can contain ‘public’ data, such as a person’s face, which raises security issues in itself.
As ethical hackers, we always pursue coordinated responsible disclosure processes with each of our discoveries, and this case was no exception. When we alerted it to this vulnerability, Microsoft announced that it had issued a security update that mitigates this issue. This concept remains a serious one however, because it exposes a new attack vector to any biometric authentication that relies on input from an external USB device.
Our research showed it’s possible that, in future, if (for instance) Windows were ever to allow remote authentication with face recognition, even the need to be able to access a user machine will not be necessary; it becomes potentially possible to exploit this attack remotely, which will increase the attack risk substantially, showing more needs to be done to mitigate against attacks of this type.
This article is adapted from a post originally published on the CyberArk website.
Main image courtesy of iStockPhoto,com