CyberArk Labs tests biometric presentation attacks against Windows Hello
Cybersecurity research firm CyberArk Labs has revealed data from its latest experiment focusing on a successful spoofing attempt of Windows Hello biometrics-powered systems.
Describing the findings in a blog post, CyberArk said it had discovered a new design flaw in Windows Hello that would potentially allow attackers to bypass the platform’s facial recognition capabilities altogether.
The attack reportedly works through the injection of a target’s face photo via a custom-made USB camera.
Once the camera is connected to the computer, the spoofed image is injected into the authenticating host, which ‘believes’ the device to be its main camera, and the photo contained in it a live image.
Through this process, CyberArk researchers were able to get around Windows Hello’s face biometric check entirely.
Writing in the blog post, CyberArk clarified that, while the attack was tested against a Windows Hello for Business system, any platform that allows a pluggable third-party USB camera to act as a biometric sensor could be potentially susceptible to this attack.
“At the heart of this vulnerability lies the fact that Windows Hello allows external data sources, which can be manipulated, as a root of trust,” the post reads.
The findings also showed that any USB device can be cloned, potentially impersonating any other USB device.
“Identifying a USB device by a descriptor provided by the device is the main reason for this. The OS cannot validate such a device’s authenticity, at least not according to the USB specification.”
However, the cybersecurity firm also clarified that not all USB devices input can lead to a security risk.
“The answer lies in the input itself. Keyboard input [for example] is known only to the person who is typing before the information is entered into the system, while camera input isn’t.”
Following the publishing of the new findings, Microsoft has released a mitigation document on July 13, trying to patch the Windows Hello vulnerability.
The results of the research will be discussed by CyberArk at the Black Hat 2021 web conference on August 4 and 5, 2021.
CyberArk has also recently added new digital identity solutions to the AWS Marketplace.