Lucene search
K

Microsoft Windows 10 Hello Face Authentication Bypass Vulnerability

🗓️ 20 Dec 2017 00:00:00Reported by Matthias DeegType 
zdt
 zdt
🔗 0day.today👁 32 Views

Microsoft Windows 10 Hello Face Authentication Bypass Vulnerability, Vulnerable Windows 10 Pro Versions, Spoofing Attac

Code
Product: Microsoft Windows Hello Face Authentication
Manufacturer: Microsoft
Affected Version(s): Windows 10 Pro (Version 1709, OS Build 16299.19)
                     Windows 10 Pro (Version 1703, OS Build 15063.726)
                     Windows 10 Pro (Version 1703, OS Build 15063.674)
                     Windows 10 Pro (Version 1703, OS Build 15063.483)
                     Windows 10 Pro (Version 1607, OS Build 14393.1914)
                     Windows 10 Pro (Version 1607, OS Build 14393.1770)
                     Windows 10 Pro (Version 1511, OS Build 10586.1232)
Tested Version(s): Windows 10 Pro (Version 1709, OS Build 16299.19)
                   Windows 10 Pro (Version 1703, OS Build 15063.726)
                   Windows 10 Pro (Version 1703, OS Build 15063.674)
                   Windows 10 Pro (Version 1703, OS Build 15063.483)
                   Windows 10 Pro (Version 1607, OS Build 14393.1914)
                   Windows 10 Pro (Version 1607, OS Build 14393.1770)
                   Windows 10 Pro (Version 1511, OS Build 10586.1232)
Vulnerability Type: Authentication Bypass by Spoofing (CWE-290)
Risk Level: High
Solution Status: Fixed on Windows 10 branches 1703 and 1709 with
                 enabled "enhanced anti-spoofing" feature
Manufacturer Notification: 2017-10-20
Solution Date: 2017-12-18
Public Disclosure: 2017-12-18
CVE Reference: Not yet assigned
Authors of Advisory: Matthias Deeg and Philipp Buchegger (SySS GmbH)

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Overview:

Microsoft Windows 10 offers a biometric authentication mechanism
using "near infrared" face recognition technology with specific Windows
Hello compatible cameras.

The manufacturer Microsoft describes the face authentication feature as
follows (see [1]):

"Microsoft face authentication in Windows 10 is an enterprise-grade
identity verification mechanism that's integrated into the Windows
Biometric Framework (WBF) as a core Microsoft Windows component called
Windows Hello. Windows Hello face authentication utilizes a camera
specially configured for near infrared (IR) imaging to authenticate and
unlock Windows devices as well as unlock your Microsoft Passport."

Further information about how Windows Hello works and its metrics
concerning false acceptance rate (FAR) and false rejection rate (FRR)
can also be found on the Microsoft website (see [2]).

Due to an insecure implementation of the biometric face recognition in
some Windows 10 versions, it is possible to bypass the Windows Hello
face authentication via a simple spoofing attack using a modified
printed photo of an authorized person.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Vulnerability Details:

SySS GmbH discovered that the Microsoft Windows Hello face
authentication using near infrared cameras in some Windows 10 versions
is vulnerable to simple spoofing attacks.

By using a modified printed photo of an authorized user, an unauthorized
attacker is able to log in to or unlock a locked Windows 10 system as
this spoofed authorized user.

Thus, by having access to a suitable photo of an authorized person
(frontal face photo), Windows Hello face authentication can easily be
bypassed with little effort, enabling unauthorized access to the Windows
system.

Both, the default Windows Hello configuration and Windows Hello with
the enabled "enhanced anti-spoofing" feature on different Windows 10
versions are vulnerable to the described spoofing attack and can be
bypassed. If "enhanced anti-spoofing" is enabled, depending on the
targeted Windows 10 version, a slightly different modified photo with
other attributes has to be used, but the additional effort for an
attacker is negligible. In general, the simple spoofing attack is less
reliable when the "enhanced anti-spoofing" feature is enabled.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Proof of Concept (PoC):

SySS GmbH could successfully bypass the configured Windows Hello user
authentication with face recognition on two Windows 10 systems using a
modified printed photo (paper printout) of an authorized user.

For example, the spoofing attack was performed against a laptop device
(Dell Latitude E7470) running Windows 10 Pro (Version 1703) with a
Windows Hello compatible webcam [3] and against a Microsoft Surface
Pro 4 device [4] running Windows 10 Pro (Version 1607) with the built-in
camera.

Only the used Microsoft Surface Pro 4 device supported the "enhanced
anti-spoofing" feature of Windows 10. The used LilBit USB IR camera only
supported the default configuration and could not be used with the more
secure face recognition settings.

The default Windows Hello configuration could successfully be bypassed
on both test devices with all tested Windows 10 versions. The more
secure configuration with enabled "enhanced anti-spoofing" feature
could only successfully be bypassed on the Windows 10 branches 1511 and
1607.

Our first proof-of-concept video [6] demonstrates a successful attacks
against Windows Hello Face Authentication on a Microsoft Surface Pro 4
with Windows 10 version 1607 and enabled "enhanced anti-spoofing"
feature.

Depending on the targeted Windows 10 version and the target device
hardware configuration, slightly different modifications of the spoofing
attack had to be used, for example photos with higher resolution
(480x480 pixels instead of 340x340 pixels) or specially colored images.

Our second proof-of-concept video [7] shows two variations of the
spoofing attack utilizing different means.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Solution:

According to test results of SySS GmbH, the newer Windows 10 branches
1703 and 1709 [5] are not vulnerable to the described simple spoofing
attack using a paper printout if the "enhanced anti-spoofing" feature is
used with respective compatible hardware.

SySS recommends to update to the latest revision of Windows 10 version
1709, to enable the "enhanced anti-spoofing" feature, and to reconfigure
Windows Hello Face Authentication afterwards.

If only the Windows 10 operating system is updated from a vulnerable
version like 1607 to the latest revision of 1709 without newly setting up
Windows Hello Face Authentication, the simple spoofing attack still
works, as our third proof-of-concept video [8] illustrates.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclosure Timeline:

2017-10-20: Vulnerability reported to manufacturer
2017-10-20: Manufacturer acknowledges e-mail with SySS security advisory
            and asks for tested configuration
2017-10-25: E-mail to manufacturer answering open questions
            E-mail to manufacturer with updated security advisory
2017-10-26: E-mail from manufacturer with further questions
2017-10-27: E-mail to manufacturer answering open questions
2017-10-27: E-mail from manufacturer with further questions
2017-10-30: E-mail to manufacturer answering open questions and with
            updated security advisory
2017-11-17: E-mail to manufacturer with an updated security advisory
2017-11-28: E-mail from manufacturer requesting further information
2017-12-01: E-mail to manufacturer concerning further information
2017-12-11: E-mail to manufacturer with new test results and revised
            security advisory
2017-12-15: E-mail from manufacturer with further information
2017-12-15: E-mail to manufacturer with updated security advisory
2017-12-18: Public release of security advisory

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

References:

[1]  Website for Microsoft Windows Hello Face Authentication

https://docs.microsoft.com/en-us/windows-hardware/design/device-experiences/windows-hello-face-authentication
[2]  Windows Hello Biometrics in the Enterprise

https://docs.microsoft.com/en-us/windows/access-protection/hello-for-business/hello-biometrics-in-enterprise
[3]  Amazon Link to Windows Hello compatible LilBit Face Tracking Camera

https://www.amazon.de/LilBit-Gesichtserkennung-Kamera-Windows-Schwarz/dp/B071R6ZV7Q/ref=sr_1_3?ie=UTF8&qid=1508435221&sr=8-3&keywords=windows+hello+webcam
[4]  Product website for Microsoft Surface Devices
     https://www.microsoft.com/en-us/surface
[5]  Windows 10 Release Information
     https://technet.microsoft.com/en-us/windows/release-info.aspx
[6]  SySS Proof-of-Concept Video, Biometricks: Windows Hello Face
Authentication Bypass PoC I
     https://www.youtube.com/watch?v=Qq8WqLxSkGs
[7]  SySS Proof-of-Concept Video, Biometricks: Windows Hello Face
Authentication Bypass PoC II
     https://www.youtube.com/watch?v=GVKKcoOZHwk
[8]  SySS Proof-of-Concept Video, Biometricks: Windows Hello Face
Authentication Bypass PoC III
     https://www.youtube.com/watch?v=cayqU3WCOso
[9]  SySS Security Advisory SYSS-2017-027

https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2017-027.txt
[10] SySS Responsible Disclosure Policy
     https://www.syss.de/en/responsible-disclosure-policy/

#  0day.today [2018-02-18]  #

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation