Windows Hello biometric verification may be circumvented using a faked USB camera, according to researchers at the University of Buffalo.
User authentication methods that employ biometrics in Microsoft Windows 10 One infrared picture of a user’s face put on a modified USB-based camera may circumvent Windows Hello.
As CVE-2021-34466 with a CVSS score of 5.7, Microsoft fixed it in July. Black Hat USA 2021 researchers said the weakness still lets attackers circumvent Windows Hello and Windows Hello for Business, which are both used to grant users access to their computers, Windows services, and data.
Research into security In his study (named Pass-the-PRT attack), Omer Tsarfati used a modified USB stick with a faked image of a Windows 10 user to get access to a victim’s computer system.
This can be done pretty quickly if you have a valid infrared frame of the target. Tsarfati stated the next step is to transfer the data into a cloned USB camera and insert it into the Windows 10 machine targeted.
It may sound like a simple hack, but the opponent must put in a lot of effort to pull it off.
What exactly is a Pass-the-PRT Attack?
Tsarfati stated his approach avoids the need to obtain Azure AD (Active Directory) Primary Refresh Tokens (PRT) required for single sign-on access to Windows, a nod to prior research on the Windows ecosystem’s tokens and encryption keys by Benjamin Delpy and Dirk-Jan Mollema.
As a result, he refers to the flaw as a Pass-the-PRT issue. A Pass-the-PRT attack, like Pass-the-Hash and Pass-the-Ticket attacks, is dangerous since it grants an adversary access to not just local systems, but also Azure-related resources such as MSFT 365 assets.
The research stated that the biometric sensor (camera) is the weak link in Windows Hello’s biometric authentication system, which combines PIN, fingerprint, and face recognition.
A major weakness in Windows Hello’s trust model is its ability to be exploited by third-party data sources, said Tsarfati.
Not a Perfect Patch
This past July, Microsoft released a fix after five months of working with the company to validate and debug the problem.
When it comes to Windows Hello, “Microsoft has released a patch that restricts the number of camera manufacturers it supports as well as restricting the usage of external cameras, unless when explicitly permitted by the user.” The workaround is still available if the user disables the external camera limitations.
After CyberArk’s study, Microsoft said that their July Patch Tuesday mitigation includes a trusted USB device list for Windows Hello authentication. Windows Update issued on July 13 mitigated the problem, according to Microsoft.
This vulnerability may still be exploited by duplicating an externally trusted USB device owing to how trust is created, CyberArk stated on Wednesday.
Researchers notified Microsoft of the issue in March 2021. It took Microsoft a month to recognize the issue. Microsoft released a mitigations advice on July 13th, 2013.