Windows Hello had a hell of a problem.
A security vulnerability with a CVE of 5.7 was discovered by researchers allowing cyber attackers to bypass facial recognition that relies on a USB camera.
The vulnerability, which was discovered by CyberArk Labs and was patched in Microsoft’s most recent patch release on July 13th, used a method similar to that shown by Tom Cruise in Minority Report – where a cybercriminal could use a custom USB device to steal an infrared image of the target’s face.
That infrared image could then be utilised to bypass and compromise any facial recognition product that used a USB camera to try and verify identification. The issue was a significant one not least because 85% of Windows 10 users utilised one of the key programs that was found to have the vulnerability: Windows Hello, Microsoft’s own password-less authentication solution.
A ‘high-level access’ opportunity
According to CyberArk Labs, the bypass could allow an attacker to gain high-level access to an organisation’s sensitive data through a privileged account, for example. The researchers managed to gain entry by decoding how Windows Hello works, and identifying the most vulnerable area.
The main feature of Windows Hello is biometric authentication, and the biometric sensor was decided on as the weakest link in the chain by potentially exposing the system to data manipulation attacks on the target’s device. The sensor is a device that transmits information on which the OS, in particular Windows Hello, makes its authentication decision.
The main issue with Windows Hello is that it allows external data sources, which can be manipulated, as a root of trust.
And it’s possible to spoof infra-red (IR) frames of a person to “bypass” the face recognition mechanism. CyberArk Labs believe that those IR frames can be created out of regular colour images, should an attacker choose.
Alternative USB devices
“Our findings show that any USB device can be cloned, and any USB device can impersonate any other USB device,” says Omer Tsarfati, security researcher at CyberArk Labs. “Identifying a USB device by a descriptor provided by the device is the main reason for this. The OS cannot validate such a device’s authenticity, at least not according to the USB specification.”
Because of this, the attack method was relatively simplistic. The attacker creates or captures an infra-red image of the victim they’re choosing to target. They also create a custom USB device that impersonates a traditional webcam for the purposes of Windows containing the spoofed or captured IR image. That custom USB device is then connected to the computer they want to target, where it then transmits the captured IR image to Windows Hello as proof of authentication.
That spoofed authentication of the facial image – in infra-red – is accepted by Windows Hello.
Thus, the hacker is given access to the computer, bypassing the safe authentication designed to protect the device.
“Based on our preliminary testing of the mitigation, using Enhanced Sign-in Security with compatible hardware limits the attack surface but is dependent on users having specific cameras,” says Tsarfati. “Inherent to system design, implicit trust of input from peripheral devices remains. To mitigate this inherent trust issue more comprehensively, the host should validate the integrity of the biometric authentication device before trusting it.”
It’s another reminder to take care of your own cybersecurity, and proof that even what we think of as more secure methods of authentication can still be leveraged by attackers with enough wherewithal to try and find a way of entry.
