Windows Hello, a very popular keyless, biometric authentication system for logging into a Windows PC, isn’t safe. Researchers have uncovered a critical vulnerability in Microsoft’s Windows 10 password-free authentication platform.
Hackers, having physical access to a computer, an image of the victim, and a special camera, can bypass the Windows Hello login window. The hack essentially authenticates the login attempt and grants complete control of the Windows 10 PC.
Windows Hello, the preferred biometric authentication and login technique for 85% of Windows 10 PC users, can be tricked:
Windows Hello is a feature in Windows 10 that allows users to authenticate themselves without a password. The relatively new method relies on a PIN code or biometric information such as a fingerprint or facial recognition.
Microsoft claims about 85 percent of Windows 10 PC users regularly rely on Windows Hello to gain keyless entry into the computer. It is this security system that researchers have managed to trick.
— palmitas (@palmitas10) July 15, 2021
The Windows Hello bypass vulnerability is tagged as CVE-2021-34466. The exploit requires physical access to a device.
CyberArk Labs discovered the flaw in March and has alerted Microsoft about the same. In a detailed report about the Windows Hello vulnerability, Omer Tsarfati, a cybersecurity researcher at CyberArk Labs, mentioned:
— National Cyber Security (@NcsVentures) July 15, 2021
“[After gaining access to a Windows 10 PC, hackers can go on] to manipulate the authentication process by capturing or recreating a photo of the target’s face and subsequently plugging in a custom-made USB device to inject the spoofed images to the authenticating host.”
“Further, exploitation of the bypass can extend beyond Windows Hello systems to any authentication system that allows a pluggable third-party USB camera to act as a biometric sensor.”
— VigiSec Solutions (@vigisec) July 15, 2021
Security researchers haven’t found any evidence about hackers using the vulnerability in the wild. However, it is quite possible that determined attackers could compromise Windows 10 PCs or laptops of scientists, researchers, or anyone else with sensitive or valuable Intellectual Property (IP).
Microsoft has addressed the Windows Hello Vulnerability in the latest Patch Tuesday Update:
The Windows Hello Vulnerability affects both the consumer and business versions of the feature. In other words, every Windows 10 PC, be it Home, Pro, or Enterprise, which uses Windows Hello for authentication, is vulnerable.
Microsoft has reportedly addressed the security loophole in the latest July Patch Tuesday update. Needless to mention, all Windows 10 PC users must immediately update their computers to patch the vulnerability.
— BleepingComputer (@BleepinComputer) July 13, 2021
Incidentally, Windows users with Windows Hello Enhanced Sign-in Security need not worry about the bug. A relatively new security feature, it requires specialized and pre-installed hardware, drivers, and firmware.
Despite all the security updates, attackers can still potentially manipulate the Windows Hello feature using special USB cameras, warn researchers. Hence, Windows 10 PC or laptop users must not allow unsupervised access to their devices.