A vulnerability in Microsoft’s Windows 10 password-free authentication system has been discovered that could allow an attacker to spoof an image of a person’s face to trick the facial-recognition system and take control of a device.
Windows Hello is a feature in Windows 10 that allows users to authenticate themselves without a password, instead using a PIN code or biometric identity—either a fingerprint or facial recognition—to access a device/machine. According to Microsoft, about 85% of Windows 10 users utilise Windows Hello.
The bypass vulnerability, tracked as CVE-2021-34466, requires an attacker to have physical access to a device to exploit it. From there, they can go on “to manipulate the authentication process by capturing or re-creating a photo of the target’s face and subsequently plugging-in a custom-made USB device to inject the spoofed images to the authenticating host,” researchers said. Exploitation of the bypass can extend beyond Windows Hello systems to any authentication system that allows a pluggable third-party USB camera to act as biometric sensor.
While researchers have no evidence that anyone has tried or used the attack in the wild at the time of writing, someone with a motive could potentially use it on a targeted espionage victim. Thankfully, Microsoft addressed the vulnerability — which affects both consumer and business versions of the feature — in its July Patch Tuesday update. Also, Windows users with Windows Hello Enhanced Sign-in Security — a new security feature in Windows that requires specialised and pre-installed hardware, drivers and firmware — are protected against any attacks “which tamper with the biometrics pipeline,” according to Microsoft.
However, researchers are unsure if the solution will fully mitigate the issue. Based on our preliminary testing of the mitigation, using Enhanced Sign-in Security with compatible hardware limits the attack surface, but this is dependent on users having specific cameras. For facial recognition, the biometric sensor is either a camera embedded in a device, such as a laptop, or connected to a computer via USB. Therefore, the entire process depends on this camera for proof of identity–which is where the vulnerability lies, particularly when a USB camera is used for authentication.
Neuways advises users to set up multi-factor authentication (MFA) where they can, to alleviate exploits like this. In doing so, you are securing your business by ensuring a secondary device, such as a mobile phone, is used to verify the identity of the user.