Microsoft is no real stranger to a bug or two on Windows, and now, a new Windows Hello hack proof of concept by cyber security vendor CyberArk shows yet another way in which a motivated threat actor can breach a Windows PC and login to gain access. This hack, though, is a bit of an old school one — in the sense that it does not use a remote code execution (RCE) process that exploits an unpatched bug. Instead, the Windows Hello biometric hack shown by CyberArk taps into a logical flaw that Microsoft appears to have in place with the Windows Hell login verification process.
To put things simply, CyberArk security researcher Omer Tsarfati used infrared image regeneration to capture the IR image of a person’s face, from one of the publicly available mugshots of the concerned person. He then loaded this IR image on to the evaluation board of a device guised as an external USB camera, and plugged it into this person’s Windows 10 PC. With Windows Hello authentication enabled, the system then takes some time to recognise the USB device, then reads it to validate any signal coming from it. Since it is loaded with the IR image in question, the camera board then relays this information on to the Windows 10 system, which recognises the person’s face and authenticates it as if it is that very person sitting in front of the USB camera.
The obvious argument here is that this is a physical hack, so hackers cannot exploit it until they have physical access to a system. However, Tsarfati underlines that the real risk of such a hack lies with enterprise users, whose work PCs may have been enabled with biometric authentication to avoid keylogger and phishing hackers looking to gain access to their system passwords. This hack essentially bypasses all such precautions, hence representing considerable threat to the data security of enterprise Windows 10 PCs that use Windows Hello for keyless and password-less login.
Microsoft has already stated that from some time in 2023, with Windows 11, it will require all laptops to feature a webcam to support Windows Hello and its enhanced security standards. However, it does excuse desktops PCs from this list, which potentially keeps the prospect of such a breach open for all. Microsoft, on this note, stated that it has released a patch on July 13 that limits and mitigates this issue. To this, Tsarfati states that while the Enhanced Sign-in Security step limits the use of this hack, it doesn’t entirely remove it, and recommends Microsoft to use an additional authentication layer of the biometric signal to take care of it fully.
Until then, make sure that nobody but you has access to your Windows 10 work PC.