FB pixel

CyberArk Labs tests biometric presentation attacks against Windows Hello

Spoofing face biometrics via a custom USB camera
CyberArk Labs tests biometric presentation attacks against Windows Hello
 

Cybersecurity research firm CyberArk Labs has revealed data from its latest experiment focusing on a successful spoofing attempt of Windows Hello biometrics-powered systems.

Describing the findings in a blog post, CyberArk said it had discovered a new design flaw in Windows Hello that would potentially allow attackers to bypass the platform’s facial recognition capabilities altogether.

The attack reportedly works through the injection of a target’s face photo via a custom-made USB camera.

Once the camera is connected to the computer, the spoofed image is injected into the authenticating host, which ‘believes’ the device to be its main camera, and the photo contained in it a live image.

Through this process, CyberArk researchers were able to get around Windows Hello’s face biometric check entirely.

Writing in the blog post, CyberArk clarified that, while the attack was tested against a Windows Hello for Business system, any platform that allows a pluggable third-party USB camera to act as a biometric sensor could be potentially susceptible to this attack.

“At the heart of this vulnerability lies the fact that Windows Hello allows external data sources, which can be manipulated, as a root of trust,” the post reads.

The findings also showed that any USB device can be cloned, potentially impersonating any other USB device.

“Identifying a USB device by a descriptor provided by the device is the main reason for this. The OS cannot validate such a device’s authenticity, at least not according to the USB specification.”

However, the cybersecurity firm also clarified that not all USB devices input can lead to a security risk.

“The answer lies in the input itself. Keyboard input [for example] is known only to the person who is typing before the information is entered into the system, while camera input isn’t.”

Following the publishing of the new findings, Microsoft has released a mitigation document on July 13, trying to patch the Windows Hello vulnerability.

The results of the research will be discussed by CyberArk at the Black Hat 2021 web conference on August 4 and 5, 2021.

CyberArk has also recently added new digital identity solutions to the AWS Marketplace.

Article Topics

 |   |   |   |   |   |   |   | 

Latest Biometrics News

 

Alan Goode offers insights on booming transitional IDV market on BU Podcast

Technology is transforming identity verification. According to Alan Goode of Goode Intelligence, by 2030, digital identity verification will pass traditional…

 

Share less data in more places: inching towards decentralized digital ID for travel

The travel industry is slowly shifting to a more decentralized model of digital identity. This was one of the key…

 

Clearview takes fresh legal hits over Canada class action, UK fine

Few biometrics companies have taken a bigger regulatory and legal beating than Clearview AI. It has already been a rough…

 

Mexico makes biometric identifier mandatory for all citizens

Mexico has officially introduced a digital identification system by signing a law that turned the previously optional biometric-based citizen code…

 

MOSIP highlights the UN DPI Safeguards Initiative

The United Nations’ DPI Safeguards Initiative has released 259 recommendations designed to guide regulators, advocates, donors, technology providers and governments…

 

Brazil adopts DaaS for verifiable credentials

Brazil is the latest country to adopt DPI as a Packaged Solution (DaaS) — a practical framework designed to accelerate…

Comments

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Biometric Market Analysis

Most Viewed This Week

Featured Company

Biometrics Insight, Opinion

Digital ID In-Depth

Biometrics White Papers

Biometrics Events