Security is often jeopardized by passwords, which is why solutions like Microsoft Hello, which uses a password-free approach to log in, are becoming more common.
While Windows Hello’s promise is to provide a more secure experience than conventional passwords, it’s possible that this strategy may have been circumvented. To bypass Windows Hello, a security researcher described a complete attack chain at the Black Hat US 2021 hybrid conference on August 5.
The researcher explained that regular passwords pose a number of issues. Many passwords are weak and easily guessable, and many people reuse the same password across many sites. To access a system without a password, some type of alternative authentication technique is used.
As an alternative to passwords, biometrics, such as fingerprint scanning or facial recognition, can be used. Introducing Windows Hello, Microsoft’s version of a password-free approach. Users can gain access to a system by using facial recognition, among other methods, with Windows Hello.
Any Image Works!
So, in order to examine how to circumvent Windows Hello’s facial recognition, the researcher concluded he needed an independent camera.
His solution was to procure an NXP evaluation board, which connects to a Windows computer through USB. The objective was to enable the USB device to mimic what a real Windows system would provide to Windows in order to learn what the system is actually processing when it decides whether or not to provide access.
An infrared (IR) sensor is required for the Windows Hello camera, according to the researcher’s findings. To authenticate, Windows Hello requires that the camera be able to transmit both a color picture and IR frames.
Researchers say that Windows Hello doesn’t pay much attention to what’s sent in the color frames. Since it is relying on the infrared as a test, he sent SpongeBob frames in infrared and it worked.
SpongeBob SquarePants is a popular cartoon character in the United States of America. Actually, Windows Hello only demands a color image, regardless of its content.
An attacker would just require a homemade USB device that impersonated a camera in order to overcome Windows Hello. In order to capture an infrared image, the USB device would need to be able to emit an IR signal. The researcher did not go into much detail regarding how a potential attacker would go about acquiring an IR image from a victim, but he did demonstrate how the Windows Hello bypass works with his own IR image.
A researcher and his employer notified Microsoft about the bug in March of this year, and Microsoft patched it in July.
To read more, please check eScan Blog
