The world is finally poised to leave passwords in the dust, but a researcher presenting at Black Hat this week demonstrated how the passwordless Windows Hello system could be defeated.
“We wanted to do research on Windows Hello because it’s passwordless and it’s cool,” explained Omer Tsarfati, a Cyber Security Researcher at CyberArk.
Windows Hello is widely available for individuals and enterprises. Once enabled, it lets you log in to your Windows computer with a PIN code, fingerprint reader, or facial recognition. Hardware security keys are also an option. Importantly, no passwords are required.
Part of what intrigued Tsarfati about the facial-recognition component of Windows Hello was that it relied on public data. That is, your face. After all, anyone who can see your face has access to the data necessary to log in.
Knock, Knock
Tsarfati’s plan of attack was straightforward: He would intercept all the necessary information from an existing USB camera and then feed that into an NXP evaluation board. Once configured, the evaluation board would mimic the original USB camera to the target computer. Then, Tsarfati could feed captured video data into the board and log in to Windows Hello.
Tsarfati encountered several obstacles along the way. For example, it turned out that Windows Hello doesn’t use the normal, color video feed for authentication. “You can actually send it anything you want,” he said. In his case, he sent a single frame of Spongebob Squarepants.
What Windows Hello is actually interested in is infrared video, and it will only work with a webcam that has both color and infrared video. But here, too, Tsarfati hit a stumbling block. The camera, he explained, was sending a lot of video frames that were not valid but he knew Microsoft must have already figured out how to deal with this problem. Tsarfati used Microsoft’s own tools against it by capturing the video through Microsoft Media Framework. This time, Windows Hello accepted the phony input.
Hello, Hello
While Tsarfati’s work showed the vulnerabilities of a passwordless system, he was quick to say that sticking with passwords isn’t the solution. People tend to use weak passwords and then reuse those passwords on multiple sites. Passwords also get stolen in data breaches, or surrendered in phishing attacks.
PCMag recommends creating unique, complex passwords for every site and service with a password manager, and enabling multi-factor authentication wherever it’s available.
The good news is that Windows Hello is not hopelessly broken. In the time since Tsarfati’s team disclosed their work to Microsoft, the company has issued a few mitigations. Now, Microsoft Hello will only use a camera that it has seen before to perform authentication, and it disables other external cameras.
Despite those changes, Tsarfati pointed out that if a victim already used an external camera, an attacker would simply have to mimic that specific camera to carry out the attack. So maybe make sure you don’t let people you don’t trust anywhere near your computer.
Tsarfati sees a larger problem, however. “It’s not even about Windows Hello, specifically,” he said. “It’s about an authentication mechanism that’s based on public information.” Hiding your face may be the only solution.
Keep reading PCMag for more Black Hat coverageBlack Hat coverage.
