Passwords are often a weak point in security, which is why approaches like Microsoft Hello that provide a passwordless approach to authentication are becoming increasingly popular.
While the promise of Windows Hello is to enable a more secure experience than regular passwords, it's an approach that could have potentially been bypassed. Speaking at the Black Hat US 2021 hybrid event on August 5, Omer Tsarfati, security researcher at CyberArk, outlined a detailed attack chain by which he was able to bypass Windows Hello.
Tsarfati explained that the challenges of regular passwords are well known. They can often be weak and easily guessable, can fall victim to phishing attacks, and many users will reuse the same password on multiple sites. The basic idea behind passwordless is that there is the use of some alternate form of authentication technology to log on to a system without the need for a password.
Passwordless approaches can make use of biometrics, such as fingerprint scanning or facial recognition. Windows Hello made its debut in Windows 10 and provides Microsoft's implementation of a passwordless model. With Windows Hello, users can make use of facial recognition to get access to a system, among other methods.
Any Image Will Work for Windows Hello
Tsarfati decided that in order to explore how to bypass Windows Hello's facial recognition, he was going to need a standalone camera.
To that end, he got an NXP evaluation board, which can provide camera functionality to a Windows system via a USB plug. The goal for Tsarfati was to have the USB device mimic what a real Windows system camera would provide to Windows Hello, in order to learn what the system is actually processing as its makes a decision to enable access.
During his research, Tsarfati discovered that Windows Hello requires cameras to have an infrared (IR) sensor. The camera needs to be able to transmit both a color picture as well as IR frames in order for Windows Hello to make an authentication decision.
"Windows Hello doesn't really pay attention to anything that you're sending in the color frames," Tsarfati said. "It's only relying on the infrared, I sent frames of SpongeBob and it worked."
SpongeBob SquarePants is a popular American cartoon character. As it turns out, Windows Hello just requires one color image, and it doesn't matter what that image is.
In order to bypass Windows Hello, an attacker would just need a custom USB device that impersonates a camera. That USB device would then need to be able to transmit an IR image, which could potentially be captured from a victim. Tsarfati did not provide much detail on how a potential attacker would go about actually collecting an IR image from a victim, though he did demonstrate with his own IR image how the Windows Hello bypass does in fact work.
Tsarfati and CyberArk responsibly disclosed the issue to Microsoft in March of this year, and the flaw was formally identified as CVE-2021-34466, which Microsoft patched in July.