Microsoft is intensifying its efforts to transition Windows users away from traditional passwords in favor of its Hello biometrics system. However, recent findings from researchers backed by the German government have unveiled a significant vulnerability within this implementation.
Critical Vulnerability Uncovered
During a presentation at the Black Hat conference in Las Vegas, Dr. Baptiste David and Tillmann Osswald from ERNW Research, an independent security firm, showcased a method to exploit the Hello system. Their demonstration revealed that an individual with local admin access, or someone who has obtained credentials through malware, could inject biometric data into a computer. This would enable the system to recognize any face or fingerprint, effectively bypassing security measures.
Hello is designed to facilitate authentication for business users, allowing corporate PCs to connect with platforms such as Entra ID or Active Directory for server access. It achieves this by storing a cryptographic key in a database linked to Microsoft’s Windows Biometric Service. While CryptProtectData is intended to safeguard this database, the researchers discovered that local admin access could compromise the encryption, exposing the system to potential breaches.
To counteract such vulnerabilities, Microsoft has implemented Enhanced Sign-in Security (ESS), which operates at a higher hypervisor virtual trust level (VTL1) and is enabled by default. However, not all PCs are compatible with this feature.
“ESS is very effective at blocking this attack, but not everyone can use it,” Osswald explained to The Register. “For example, we bought ThinkPads around one and a half years ago, but sadly they do not have a secure sensor for the camera because they use AMD chips and not Intel’s.”
Live Demonstration of the Flaw
During their presentation, the researchers conducted a live demonstration of the vulnerability. David successfully logged in using a facial scan, after which Osswald executed a few lines of code to insert a Hello facial scan he had captured on a different machine into the database. This action allowed him to unlock David’s device instantaneously.
The researchers acknowledged that rectifying this issue would be challenging, likely necessitating a substantial code overhaul or the potential use of the TPM module to securely store biometric data—an option that may not be feasible. They advised users relying on Hello for Business without ESS to disable biometric authentication and revert to using a PIN for login.
As of now, Microsoft has not responded to inquiries regarding these findings. The research, funded by Germany’s Federal Office for IT Security, is part of a two-year program named Windows Dissect, which is set to conclude next spring. Further revelations are anticipated in the coming months.
