FB pixel

CyberArk Labs tests biometric presentation attacks against Windows Hello

Spoofing face biometrics via a custom USB camera
CyberArk Labs tests biometric presentation attacks against Windows Hello
 

Cybersecurity research firm CyberArk Labs has revealed data from its latest experiment focusing on a successful spoofing attempt of Windows Hello biometrics-powered systems.

Describing the findings in a blog post, CyberArk said it had discovered a new design flaw in Windows Hello that would potentially allow attackers to bypass the platform’s facial recognition capabilities altogether.

The attack reportedly works through the injection of a target’s face photo via a custom-made USB camera.

Once the camera is connected to the computer, the spoofed image is injected into the authenticating host, which ‘believes’ the device to be its main camera, and the photo contained in it a live image.

Through this process, CyberArk researchers were able to get around Windows Hello’s face biometric check entirely.

Writing in the blog post, CyberArk clarified that, while the attack was tested against a Windows Hello for Business system, any platform that allows a pluggable third-party USB camera to act as a biometric sensor could be potentially susceptible to this attack.

“At the heart of this vulnerability lies the fact that Windows Hello allows external data sources, which can be manipulated, as a root of trust,” the post reads.

The findings also showed that any USB device can be cloned, potentially impersonating any other USB device.

“Identifying a USB device by a descriptor provided by the device is the main reason for this. The OS cannot validate such a device’s authenticity, at least not according to the USB specification.”

However, the cybersecurity firm also clarified that not all USB devices input can lead to a security risk.

“The answer lies in the input itself. Keyboard input [for example] is known only to the person who is typing before the information is entered into the system, while camera input isn’t.”

Following the publishing of the new findings, Microsoft has released a mitigation document on July 13, trying to patch the Windows Hello vulnerability.

The results of the research will be discussed by CyberArk at the Black Hat 2021 web conference on August 4 and 5, 2021.

CyberArk has also recently added new digital identity solutions to the AWS Marketplace.

Article Topics

 |   |   |   |   |   |   |   | 

Latest Biometrics News

 

Biometrics firms pitch privacy in age assurance ahead of US court battle

The U.S. is facing its first constitutional debate connected with age verification in 20 years: The Supreme Court will have…

 

Permira finalizes $1.3B majority stake acquisition of BioCatch

Permira Growth Opportunities has completed the acquisition of a majority position in behavioral biometrics and fraud prevention business BioCatch, four…

 

ATO attacks surge in Q2 2024, Sift warns of growing ‘Fraud-as-a-Service’ threat

A recent report highlights the growing threat of account takeover (ATO) attacks, which surged by 24 percent in the second…

 

EU AI pact sets new standards for ethical AI use across Europe

By Tony Porter, Chief Privacy Officer at Corsight AI The European Union’s AI Pact marks a crucial step towards forming…

 

Deepfake detection challenge, integration to protect content integrity unveiled

A new deepfake detection competition has been announced with the intention of advancing “next-generation deepfake detection and localization systems” development….

 

Utah judge blocks age verification requirement for social media

A federal judge in Utah has ruled in favor of tech lobby group NetChoice and against the state’s new law…

Comments

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Most Read This Week

Featured Company

Biometrics Insight, Opinion

Digital ID In-Depth

Biometrics White Papers

Biometrics Events