Security researchers at CyberArk Labs discovered a security bypass vulnerability, tracked as CVE-2021-34466, affecting the Windows Hello facial authentication process, An attacker could exploit the vulnerability to login systems running the Windows 10 OS.
Microsoft already fixed the vulnerability with the release of July Patch Tuesday security updates.
Windows Hello is a Windows 10 security feature that allows users to unlock the device with a user’s fingerprint, iris scan, or face. The feature uses IR camera to scan the user’s face, the camera has two distinct sensors to manage RGB and Infra-red (IR). The researchers discovered that only the IR camera frames are processed during the authentication process.
Experts discovered that it has been possible to bypass authentication just using a single, valid, infra-red frame.
“This USB device then only needs to send genuine IR frames of the victim to bypass the login phase, while the RGB frames can contain anything. Further, into the research, we figured out that we even don’t need many frames of the “target.”” states the analysis published by the experts.
“Apparently, we only need one IR frame and an entirely black frame. When we tried to send only one valid IR frame in the buffer, Windows Hello didn’t accept our input as valid, but when we sent both the black frame and the proper IR frame, we got in.”
Cyberark researchers pointed out that the flaw is very difficult to exploit, an attacker with physical access to the computer needs a good infra-red image of the user.
This can be achieved by passing by the person with a camera or by setting this IR camera in a place that the person will go through, for example, an elevator. An attacker could also use advanced IR camera technologies that can allow to take a good picture even from a distance.
Then the attacker has to plug into the system a custom-built USB device that can then be used to inject the spoofed image.
The experts demonstrated how to bypass the security feature in a video PoC:
Microsoft provided the experts the following statement:
“Microsoft released a security update on July 13 that mitigates this issue. For more information, please see CVE-2021-34466:
In addition, customers with Windows Hello Enhanced Sign-in Security are protected against such attacks which tamper with the biometrics pipeline. Enhanced Sign-in Security is a new security feature in Windows which requires specialized hardware, drivers, and firmware that are pre-installed on the system by device manufacturers in the factory. Please contact your device manufacturers for the state of Enhanced Sign-in Security on your device.
(SecurityAffairs – hacking, Windows)