​Cracking Windows Hello is not impossible, but there is an update


Windows Hello turns out not to be as secure as we thought until now. Windows’ identification software is fairly easy to crack using a fake camera, as long as you have infrared images of the device’s owner. This allows the software that exists to recognize biometric properties to be circumvented. Microsoft has since released a security update.

CyberArk Labs

The security issue should have been resolved by now, as Microsoft has released a new update that addresses the vulnerability (known as CVE-2021-34466). Security experts at CyberArk Labs found it weak when they tested to get in with an infrared frame of the target anyway. It also had to be one rgb’ frame containing something else.

Sounds complicated, but here’s the bottom line: The attacker can now physically access the Windows device because he’s manipulating the authentication process. He does this by taking a photo of the device owner’s face and then using a custom USB device to inject the image into the computer. This makes the computer think that that photo is the biometric data and you get access.

Windows Hello leak

It’s a big problem because there are many people who use Windows Hello. In 2019, it grew from 69 to 84 percent. It is probably not the only method of identification for many people at the same time. However, if someone can still gain access by manipulating the machine, then the number of authentication methods doesn’t matter. Then there is only one way, Hello in this case, to access your system.

While fooling Hello may seem like a cinch, the USB device the researchers used was made by themselves. That USB device contains infrared images and pretends to be a webcam, when in fact it is a photo being looked at. This research immediately shows that Microsoft’s Hello only looks at the infrared frames.

‘Insufficient update’

In addition to downloading the update, Microsoft also recommends that it is possible to disable the use of Windows Hello cameras from outside to help keep your account more secure. Incidentally, CyberArk Labs believes that the patch is insufficient to solve the problem, because it would depend on which cameras are used whether the chance of attacks indeed decreases.

Image source: Aksa2011

Laura Jenny

When she’s not tapping, she’s floating somewhere in the wonderful world of entertainment or on a plane to some cool place in the real world. mario…

Leave A Reply

Your email address will not be published.