Article Details

German security researchers say 'Windows Hell No' to Microsoft biometrics for biz. Hello loophole could let a rogue admin, or a pwned one, inject new facial scans. Black Hat Microsoft is pushing hard for Windows users to shift from using passwords to its Hello biometrics system, but researchers sponsored by the German government have found a critical flaw in its business implementation. In a presentation at the Black Hat conference in Las Vegas, Dr Baptiste David and Tillmann Osswald from independent security shop ERNW Research demonstrated how one can crack the Hello system and a local admin, or someone who has access to their credentials via malware or other means, can inject biometric information into a computer that would allow it to recognize any face or fingerprint. Hello supports authentication for business users, so that corporate PCs can link into platforms like Entra ID or Active Directory to clear access to servers. It does this by storing a cryptographic key in a database that links with Microsoft's Windows Biometric Service. CryptProtectData guards the database, but the duo found that it's possible for someone with local admin access to break the encryption using information found in the software. However, Microsoft also has Enhanced Sign-in Security (ESS), which operates at a higher hypervisor virtual trust level (VTL1), which should block the attack and is turned on by default. Unfortunately, not all PCs support it. "ESS is very effective at blocking this attack, but not everyone can use it," Osswald told The Register. "For example, we bought ThinkPads around one and a half years ago, but sadly they do not have a secure sensor for the camera because they use AMD chips and not Intel's." Baptiste David and Tillmann Osswald demonstrate their system - Click to enlarge The two demonstrated the flaw live on stage. David logged in using a facial scan, then, with a couple of lines of code, Osswald was able to insert a Hello facial scan he made on another machine into the database and unlock David's machine instantly. It's going to be difficult to fix, they said, and would require a significant code rewrite or trying to use the TPM module to store the biometric data - which might not be possible. They recommended that, if you are using Hello for Business without ESS, then disable the biometrics and stick with logging in using a PIN. Microsoft did not immediately respond to our inquiries about the findings. We'll update this if they do. Germany's Federal Office for IT Security funded the two-year research program - dubbed Windows Dissect - which will conclude next spring. More revelations are expected, we're told.