Smartphones have used biometric authentication such as fingerprints and old faces before they become more common on laptops and even desktops. Windows Microsoft Hello Framework is an effort to bring the same mix of comfort and security as the desktop platform, and, mostly, seems to work quite well. However, new security research reveals fatal defects in the process of recognition of Windows Hello’s face that can bypass authentication using a specialized USB device. Fortunately, exploiting it in real life is not as simple as the weakness itself.
The process carried out by security researchers in Syberark through asking how easily fooled Windows Halo, or at least the face recognition system. Windows requires that the PC has a camera with a RGB sensor and IR for Windows Hello facing recognition to work. Apparently, however, that it really only data from IR sensors that are important to pass Windows security.
The researchers developed USB devices from the NXP evaluation board that presented themselves as USB cameras with RGB and IR sensors. However, in fact, the device just sent a premade image frame: some frame IR from the original owner and some frame RGB Spongebob. After several tests, the researchers found that they really only needed one IR frame and a plain black RGB frame to cheat Windows Hello.
According to Syberark, vulnerability is there because Windows Hello allows external devices to act as a source of data for biometric authentication. On the one hand, he has no choice but to do it because not all Windows PCs have a built-in camera or fingerprint sensor. On the other hand, research proves that it is also the weakest link in what must be a very easy security system.
Fortunately, it’s not a horror story waiting to happen. In order for attackers to exploit this weakness, they need to get an IR image from the target face, and it’s not an easy achievement. They will also need physical access to the desktop or laptop, and, at that time, there might be another way to enter the system.