Security News > 2021 > July > Windows Hello Bypass Fools Biometrics Safeguards in PCs

Windows Hello Bypass Fools Biometrics Safeguards in PCs
2021-07-14 11:05

Windows Hello is a feature in Windows 10 that allows users to authenticate themselves without a password, using a PIN code or biometric identity-either a fingerprint or facial recognition-to access a device or machine.

The Windows Hello bypass vulnerability, tracked as CVE-2021-34466, requires an attacker to have physical access to a device to exploit it, according to researchers at CyberArk Labs who discovered the flaw in March.

Further, exploitation of the bypass can extend beyond Windows Hello systems to "Any authentication system that allows a pluggable third-party USB camera to act as biometric sensor," Tsarfati noted.

Windows users with Windows Hello Enhanced Sign-in Security - a new security feature in Windows that requires specialized and pre-installed hardware, drivers and firmware - are protected against the any attacks "Which tamper with the biometrics pipeline," according to Microsoft.

CyberArk researchers posted a video of a proof-of-concept for how to exploit the vulnerability, which can be used on both the consumer version, Windows Hello, and an enterprise version of the feature called Windows Hello for Business that businesses use with ActiveDirectory.

Researchers detailed a somewhat complex way for an attacker to capture someone's image, save the captured frames, impersonate a USB camera device, and eventually send those frames to the Windows hello system for verification.


News URL

https://threatpost.com/windows-hello-bypass-biometrics-pcs/167771/

Related Vulnerability

DATE CVE VULNERABILITY TITLE RISK
2021-07-16 CVE-2021-34466 Authentication Bypass by Spoofing vulnerability in Microsoft Windows 10
Windows Hello Security Feature Bypass Vulnerability
high complexity
microsoft CWE-290
5.7