Microsoft’s Windows Hello was fooled by researchers using a high-quality photo and black frame. Full findings will be presented at Black Hat Las Vegas.
Computers are hard. We often use metaphors within the construction industry to compare in the software development process, but the complexities that lie within software R&D are far more intricate than can be described with a metaphor. It’s not just about the software itself, but also the infrastructure it runs on. When infrastructure has a vulnerability, the consequences are dire. If we’re using the construction metaphor, it’s akin to building atop quicksand, eventually the whole thing is going to collapse. Or, just as problematic, breaking a water main trying to fix the road. The damage in both cases is widespread and severe.
When Microsoft released Windows Hello, its facial recognition system, it showcased the company’s efforts to move to a password-less society. Passwords are the bane of every IT department around the globe, it’s one of the weakest parts of security because it is controlled by humans. Passwords are increasingly hard to remember because we have so many of them, and it is incredibly common for passwords to be reused on different sites. It’s one of the biggest reasons we always recommend a password manager so that employees don’t have to remember passwords. The system simply logs them in automatically or autofills their credentials.
Biometrics have been the subject of many research studies to determine levels of security, and that’s exactly what security firm CyberArk was doing with Windows Hello when they uncovered a way to trick the system into unlocking when it shouldn’t. For Microsoft, Windows hardware is very diverse, so Windows Hello works with many third-party webcams. By contrast, Apple’s FaceID only works with iPhones and iPads, it is not compatible with the Mac yet, that have more recent cameras installed. This is where CyberArk saw a potential problem.
“We tried to find the weakest point in the facial recognition and what would be the most interesting from the attacker’s perspective, the most approachable option,” says Omer Tsarfati, a researcher at the security firm CyberArk. “We created a full map of the Windows Hello facial-recognition flow and saw that the most convenient for an attacker would be to pretend to be the camera, because the whole system is relying on this input.”
Because Microsoft works with so many third-party products, there is no way to guarantee that the webcam purchased by a consumer offers proper protection. Windows Hello is supposed to only work with webcams that have an infrared sensor along with a regular RGB sensor. But, as CyberArk found, the system doesn’t even look at the RGB data. Which means the background of an image used doesn’t matter, all the researchers needed was one straight-on infrared image of a target’s face and one black frame. With those two things, the team manipulated a USB webcam to deliver an image, tricking Windows Hello into unlocking.
Now, this wouldn’t be easy to do in practice because you need physical access to the target’s machine along with a high-quality infrared image of the target. The findings will be presented at this year’s Black Hat event, and while MIcrosoft has already rolled out patches, it doesn’t rule out the ability of an attacker to get in through a third-party camera. Someone will take this research and use it to find another way to bypass the technology.
The more we try to keep our information private and secure, the more threat actors change their game in an attempt to get that information. Computers are hard, software R&D is even harder. Using metaphors within the construction industry doesn’t always do it justice, and even likening it to embroidery, where if you miss a stitch and don’t catch it, you have to remove everything you’ve done from that point and reconstruct it after fixing the miss, isn’t quite accurate. Think of it more like a combination, hammer a nail on the first floor and cause a fire on the 12th floor, and the only way to fix it is to reconstruct the entire building.
The Windows Hello facial recognition system was fooled by a machine because it didn’t work like it was supposed to. Now we will wait and see if the water main breaks as more researchers and hackers try to find a way to break it all the way.