Key Takeaways
1. Vulnerability found in Windows Hello for Business, allowing identity theft by attackers with device access.
2. “The Face Swap” attack exploits biometric data processing, enabling unauthorized access.
3. Attackers with administrative rights can alter user biometric identifiers, fooling the system.
4. Proof-of-concept demonstrated that attackers can impersonate other users on the same device.
5. Microsoft has been informed, but a comprehensive fix may require a complete system redesign.
A recent investigation by ERNW, a security research company based in Germany, has uncovered a vulnerability in Windows Hello for Business, which is Microsoft’s system for password-free authentication. This study was part of a project supported by Germany’s Federal Office for Information Security (BSI). The findings reveal that attackers who already have access to a device can take advantage of the system’s design to carry out identity theft.
The Face Swap Attack
The attack, called “The Face Swap,” exploits how Windows Hello processes biometric information. Rather than using a person’s biometric data for direct verification, the system unlocks a cryptographic key that is kept on the device. ERNW’s researchers discovered that someone who has administrative rights can reach and alter the database that connects a user’s identity to their biometric template.
Proof-of-Concept Demonstration
During their testing, the researchers managed to interchange the identifiers of two users who were registered in the system. This swap completely fooled the system; an attacker could simply sit in front of the camera, and Windows Hello would recognize their face, granting them access to the victim’s account, which includes all corporate network resources, files, and sensitive data.
In simpler words, on any Windows computer equipped with Windows Hello that has more than one user profile, this security flaw enables anyone with admin rights to impersonate other users within that system.
Disclosure and Future Implications
ERNW has informed Microsoft about these vulnerabilities, but they believe that a comprehensive fix is improbable since it would necessitate a complete redesign of the system’s architecture. In another incident, ERNW also reported a significant flaw in Linux systems two weeks ago that allowed attackers unrestricted access to those systems.
Source:
link