A key piece of the tech industry’s plan to make the world password-less and safer is biometric authentication. However, a novel method for bypassing Microsoft’s Windows Hello facial recognition system shows that a little fiddling with the hardware can deceive the system into unlocking without authorization.
Facial recognition authentication is more common in recent years with Windows Hello increasing its adoption. Apple allows FaceID with cameras in recent iPhones and iPads but it is not supported on Macs. As a result of the diversity of Windows hardware, Hello facial recognition works with multiple third-party webcams. However, researchers from security firm CyberArk see potential vulnerability.
This is because no old webcam can be trusted to give solid protection in its collection and transmission of data. Windows Hello facial recognition works only with webcams which have an infrared sensor as well as a regular RGB sensor. The system however doesn’t consider RGB data, meaning that with one straight-on infrared image of the face of a target and one black frame, the researchers discovered that they could unlock a Windows Hello-protected device.
By manipulation of a USB webcam to deliver an attacker-picked image, the researchers could deceive Windows Hello into believing the owner’s face was present and unlocking.
‘We tried to find the weakest point in the facial recognition and what would be the most interesting from the attacker’s perspective, the most approachable option’, says Omer Tsarfati, Researcher at CyberArk. ‘We created a full map of the Windows Hello facial recognition flow and saw that the most convenient for an attacker would be to pretend to be the camera, because the whole system is relying on this input.’
Microsoft refers to this finding as a ‘Windows Hello security feature bypass vulnerability’ and recently released patches to address it. The company also suggests that users enable ‘Windows Hello enhanced sign-in security,’ which makes use of Microsoft’s ‘virtualization-based security’ to encrypt Windows Hello face data and process it to a secure area. There was no response to request for a comment about the CyberArk findings.
Tsarfati says that the CyberArk team picked the facial recognition authentication of Windows Hello particularly because of the abundant research into pin-cracking and fingerprint-sensor spoofing. The team was fascinated by the large Windows Hello user base. In May 2020, Microsoft stated that the service had over 150 million users. By December, they added that 84.7% of Windows 10 users signed in with Windows Hello.
Although it sounds simple, the Windows Hello bypasses may be complex to carry out in real life. Attackers have to have a good quality infrared image of the target’s face and physical access to their device. Hardware diversity among Windows devices could merge to create other susceptibilities in how Windows Hello accepts face data.
‘A really motivated attacker could do those things’, says Tsarfati. ‘Microsoft was great to work with and produced mitigations, but the deeper problem itself about trust between the computer and the camera stays there.’
There are numerous ways to take and process images for facial recognition. Apple’s FaceID works only with the company’s proprietary TrueDepth camera arrays, but Apple is in a position to control hardware and software on its devices in a way that Microsoft cannot. The Windows Hello Face setup information only says ‘Sign-in with your PC’s infrared camera or an external infrared camera.’
Marc Rogers, biometric-sensor security researchers and Vice President of cybersecurity at digital identity management company Okta, says that it should be made clear to users that third-party webcams are certified as giving protection to Windows Hello. Users can make their choice from the product options available but particular guidelines and recommendations would help the users understand better.
This research is in the category of hacks called ‘downgrade attacks’ where a device is deceived into depending on a less secure mode. An attacks which enables Windows Hello accept static, prerecorded face data uses the same background and researchers have conquered Windows Hello’s facial recognition before exploiting the system to accept photos using some techniques.
‘Really, Microsoft should know better,’ Rogers says. ‘This attack pathway in general is one that we have known for a long time. I’m a bit disappointed that they aren’t more strict about what cameras they will trust.’
By Marvellous Iwendi.