Microsoft: Third-party physical access to a computer could be blocked with a strong password, but this was not true if the Microsoft user opted for Windows Hello. A security hole would allow an attacker to circumvent the biometric lock by simulating the presence of the machine’s owner.
Windows 10’s passwordless authentication system, which uses facial recognition to unlock the computer, allowed an attacker to spoof a face frame sequence to trick the biometric system with a fake USB camera and take control of the device.
Registered as CVE-2021-34466 and discovered in March by researchers at CyberArk Labs, the flaw allowed them to manipulate the authentication process. According to Omer Tsarfati, responsible for the analysis, it was enough to capture or recreate a “target face” and then connect an adapted USB device to inject the fake images into the authentication host.
This caused Windows Hello to identify the face of the machine owner even if he was not present at the time and give access to the PC.
Windows Hello is a Windows 10 feature that allows users to unlock the PC without using a long default password, working with a PIN (short) code or biometric identity, whether it’s a fingerprint or facial recognition. According to Microsoft, about 85% of Windows 10 users use one of the three computer login options.
Flaw fixed, or nearly so
Microsoft claims it fixed the vulnerability in a July patch. But Tsarfati believes that a preliminary solution may not fully mitigate the risk and that the fix should focus on the USB device connected to the machine.
“To comprehensively mitigate this trust issue, the host must validate the integrity of the biometric authentication device before trusting it,” he said.
CyberArk has posted proof-of-concept videos that show how to exploit the flaw, which was also found in the enterprise version of Hello.
“It’s similar to stealing a password, but much more accessible because [your face] data is out there. At the heart of that is the fact that Windows Hello allows external data sources [like videos],” he explains.