Security researchers find biometrics vulnerability in Windows Hello for Business

Organizations are increasingly turning to biometrics to secure their corporate networks and assets, but German cybersecurity researchers have found what they say is a flaw in the implementation of Windows Hello for Business that could make it vulnerable to bypass attacks.

Dr. Baptiste David and Tillmann Osswald of ERNW Research told an audience at the Black Hat conference in Las Vegas that a code injection attack can enable a biometric injection attack from another PC that would compromise biometric authentication, granting access  to any face or fingerprint submitted.

Business users authenticate with Windows Hello to access company servers through digital identity and access management (IAM) platforms like Entra ID or Active Directory.

The attack works by identifying information within the CryptProtectData software that secures the database containing the cryptographic key linked to the Windows Biometric Service to break the encryption. Microsoft provides Enhanced Sign-in Security (ESS) software, which blocks the attack from its hypervisor virtual trust level (VTL1) by default. But not all PCs support ESS.

Tillman told The Register that PCs that do not use Intel chips may not have a secure camera sensor, so cannot use ESS.

Osswald describes the attack process in-depth in a recent blog post. A June post details how Hello authentication works, along with previously discovered attacks on Windows Hello for Business.

Potential fixes could involve storing biometric data in the Trusted Platform Module (TPM), or a major code rewrite.

Their findings come from a two-year research program, Windows Dissect, which is intended to uncover security flaws in the world’s most popular desktop OS, and is supported by Germany’s Federal Office for Information Security (BSI).

Article Topics

biometric authentication  |  biometrics  |  cybersecurity  |  ERNW Research  |  injection attack detection  |  Microsoft  |  Windows Hello