[ad_1]
Biometric authentication is a key part of the tech industry’s plans to make the world password-free. But a new method to fool Microsoft’s Windows Hello facial recognition system shows that a little hardware hacking can cause the system to unlock when it shouldn’t.
Services like Apple’s FaceID have made facial recognition authentication more common in recent years, with Windows Hello pushing adoption even further. Apple only allows you to use FaceID with cameras built into newer iPhones and iPads, and it still isn’t supported on Macs. But because Windows hardware is so diverse, Hello facial recognition works with a range of third-party webcams. Where some might see ease of adoption, researchers at security firm CyberArk saw a potential vulnerability.
This is because you cannot trust an older webcam to offer robust protections in the way it collects and transmits data. Windows Hello facial recognition only works with webcams that have an infrared sensor in addition to the standard RGB sensor. But the system, it turns out, doesn’t even look at the RGB data. Which means that with a direct infrared image of a target’s face and a black frame, the researchers found they could unlock the victim’s Windows Hello-protected device.
By manipulating a USB webcam to deliver an image of the attacker’s choice, the researchers were able to trick Windows Hello into believing that the device owner’s face was present and unlocking.
“We tried to find the weakest point of facial recognition and what would be the most interesting from the attacker’s point of view, the most accessible option”, explains Omer Tsarfati, researcher at the security company CyberArk. . “We created a complete map of the Windows Hello facial recognition flow and found that the most convenient for an attacker would be to impersonate the camera, because the entire system relies on this input. “
Microsoft calls the discovery a “Windows Hello security feature bypass vulnerability” and released fixes on Tuesday to resolve the issue. In addition, the company suggests that users enable “Windows Hello enhanced sign-in security,” which uses Microsoft’s “virtualization-based security” to encrypt Windows Hello face data and process it in a protected area of memory where they cannot be falsified. The company did not respond to a request from WIRED for comment on CyberArk’s findings.
Tsarfati, who will present the results next month at the Black Hat Security Conference in Las Vegas, says the CyberArk team has chosen to look at Windows Hello’s facial recognition authentication, in particular, because there is already had a lot of research in the industry on the PIN code. cracking and spoofing of the fingerprint sensor. He adds that the team was drawn to Windows Hello’s large user base. In May 2020, Microsoft said the service has more than 150 million users. In December, the company added that 84.7% of Windows 10 users sign in with Windows Hello.
While it sounds simple – show the system two photos and you’re there – these Windows Hello workarounds wouldn’t be easy to implement in practice. Hacking requires that attackers have a good quality infrared image of the target’s face and have physical access to their device. But the concept matters as Microsoft continues to push the adoption of Hello with Windows 11. Hardware diversity among Windows devices and the deplorable state of IoT security could combine to create other vulnerabilities in the way Windows Hello. accepts facial data.
“A really motivated striker could do these things,” Tsarfati explains. “Microsoft was great to work with and produced mitigations, but the deeper issue itself regarding computer-camera trust remains there. “
[ad_2]
Source link