Microsoft's business-oriented biometrics encounter stern rejection from German security experts, dubbed as 'Windows Hell No'
In a groundbreaking discovery, researchers from ERNW Research have uncovered a significant vulnerability in the Microsoft Windows Hello biometrics system. This flaw, if exploited, allows an attacker with local administrator access and malware to bypass the biometric authentication, undermining the system's security.
The attack works by accessing and manipulating the encrypted biometric templates stored locally on the system. Since the Windows Biometric Service stores all information for unlocking biometric data tied to the NT SYSTEM account, an attacker with these privileges can decrypt and modify biometric templates stored on the machine.
One of the key attack steps involves biometric template swapping. Attackers can replace a legitimate user’s face or fingerprint data with their own, enabling login under another user's identity via Windows Hello for Business. This could potentially lead to unauthorized access to corporate PCs linked to platforms like Entra ID or Active Directory, granting attackers clear access to servers.
The underlying cryptographic protection tied to CryptProtectData is weak because it relies on system account secrets without external entropy, making template decryption feasible by admin attackers. Malware or code injection techniques can be used to perform these manipulations stealthily, potentially enabling biometric injection attacks remotely or across PCs within a network domain if credentials are compromised or privileges escalated.
However, there are measures to mitigate this attack. Using a PIN instead of biometrics for Windows Hello when possible offers stronger protection against biometric template swapping. Ensuring devices support and enable TPM and Enhanced Sign-in Security features can also better protect biometric data. Restricting local administrator access and monitoring for privilege escalations and malware that could manipulate biometric storage are also essential steps.
Regularly updating Windows and firmware to get the latest patches addressing these flaws is also crucial. It's worth noting that Microsoft’s Enhanced Sign-in Security (ESS) and Trusted Platform Module (TPM) storage can mitigate this attack, but not all devices support these protections. Many non-Intel machines or legacy hardware remain vulnerable.
The findings on the Microsoft Windows Hello system were presented at the Black Hat conference in Las Vegas. More revelations from the "Windows Dissect" research program are expected, with the program concluding next spring. It's hoped that these findings will lead to a significant code rewrite or the use of the TPM module to store biometric data to fix the flaw.
Microsoft did not immediately respond to inquiries about the findings. It's important for users to be vigilant and take necessary steps to secure their systems against this vulnerability. ThinkPads purchased around one and a half years ago, for instance, do not have a secure camera sensor due to using AMD chips instead of Intel's. Users are advised to be aware of such vulnerabilities and take appropriate measures to secure their devices.
- The security flaw in Microsoft Windows Hello biometrics system, discovered by ERNW Research, can be exploited by a local administrator with malware, potentially allowing cyberattackers to bypass the system's security by manipulating encrypted biometric templates and decrypting biometric data via theNT SYSTEM account.
- The attack can lead to unauthorized access to corporate PCs connected to platforms like Entra ID or Active Directory, as it involves biometric template swapping, enabling attackers to login under another user's identity via Windows Hello for Business.
- To mitigate this attack, users can adopt stronger protection measures such as using PINs instead of biometrics for Windows Hello, ensuring devices support and enable TPM and Enhanced Sign-in Security features, restricting local administrator access, and monitoring for privilege escalations and malware.
- Regularly updating Windows and firmware with the latest patches is also crucial, especially since the underlying cryptographic protection is weak, relying on system account secrets without external entropy. However, not all devices support TPM and ESS, leaving many non-Intel machines or legacy hardware vulnerable.
