Microsoft has addressed a security feature bypass vulnerability in the Windows Hello authentication biometrics-based tech, letting threat actors spoof a target's identity and trick the face recognition mechanism into giving them access to the system.
According to Microsft, the number of Windows 10 customers using Windows Hello to sign in to their devices instead of a password grew from 69.4% to 84.7% during 2019.
Exploitation requires physical access
As discovered by CyberArk Labs security researchers, attackers can create custom USB devices that Windows Hello will work with to completely circumvent Windows Hello's facial recognition mechanism using a single valid IR (infrared) frame of the target.
Tsarfati reported the Windows Hello vulnerability tracked as CVE-2021-34466 and rated as Important severity to Microsoft in March.
Based on Microsoft's assessment of the security vulnerability, unauthenticated adversaries require physical access to the target's device to exploit it in high complexity attacks.
"The vulnerability allows an attacker with physical access to the device to manipulate the authentication process by capturing or recreating a photo of the target’s face and subsequently plugging in a custom-made USB device to inject the spoofed images to the authenticating host," security researcher Omer Tsarfati explained.
"We have no evidence that this attack has been used in the wild, but it could be used by a motivated attacker to target a researcher, scientist, jo ..
Support the originator by clicking the read the rest link below.
