Biometric spoof of Windows Hello not really resolved — researchers

It is still possible to fake out the face-biometric lock in Microsoft’s Windows 10 Hello authentication app.

The so-called pass-the-PRT attack, first identified by CyberArk Labs last month, gives unauthorized people access to Microsoft’s Azure resources, including 365 assets without an attacker needing to look like the target.

It also enables access to on-premises assets by allowing external data sources to collect biometric data, according to CyberArk researcher Omer Tsarfati.

In a post, Tsarfati writes that, as of August 4, Microsoft had taken steps to make the exploit less likely. He agrees that the opportunity is narrowed, but exploitation is still possible.

Doing so is a cumbersome, multi-step process that likely means attackers or their devices have to be physically close to a person. That just means attackers have to be more selective with their efforts.

Tsarfati has pointed out the counterintuitive way that this exploit works. Windows Hello is designed to identify a registered system user, but until this problem came to light, Windows did not need a secure USB camera.

The researchers cloned a camera and put a single infrared frame of the target and a black frame on it. (Now cameras from a list of trusted vendors must be used with the Windows Hello.)

While not trivial, it is possible to get IR images of a person.

Tsarfati also says that it might be possible to fake an IR data from a color image using filters or a machine learning algorithm.

The only way to guard against this biometric spoof attack completely is to only use cameras from a list approved as trusted with Windows devices.

His post, with video, goes into detail about the problem and the stakes.

Article Topics

authentication  |  biometrics  |  CyberArk  |  facial recognition  |  identity verification  |  Microsoft  |  spoofing  |  Windows Hello