Microsoft's business biometrics receive a rejection from German security experts, labeled as 'Windows Hell No'
In a shocking revelation at this year's Black Hat conference, German researchers Dr. Baptiste David and Tillmann Osswald demonstrated a significant flaw in Microsoft's Windows Hello for Business biometrics system. This two-year research program, known as Windows Dissect, was funded by Germany's Federal Office for IT Security.
The researchers showcased a code injection attack that allows an attacker with local administrative access or malware to inject biometric information into the Windows Biometric Service database. This manipulation effectively defeats the biometric authentication, allowing the system to recognise any face or fingerprint provided.
The attack exploits weaknesses in how the CryptProtectData software encrypts the database holding the cryptographic keys linked to biometric authentication, making it possible to break the encryption and inject forged biometric credentials.
This vulnerability is particularly concerning for corporate environments where Windows Hello for Business is used to authenticate users to corporate networks via platforms like Entra ID or Active Directory.
To carry out the attack, the attacker needs local admin access or malware on the device. They use code injection to access and break the encryption protecting the biometric key storage, and then inject arbitrary biometric data, allowing login as any user regardless of the presented biometrics.
Microsoft provides Enhanced Sign-in Security (ESS), which runs in a higher hypervisor virtual trust level (VTL1). ESS blocks this attack by protecting the biometric data at a hardware-protected level. However, not all PCs support ESS because many do not have the required hardware, such as secure camera sensors or specific Intel chips. Devices lacking ESS remain vulnerable.
To mitigate this risk, researchers suggest storing biometric data securely using the Trusted Platform Module (TPM) since TPM can provide hardware-backed security for biometric keys. A major overhaul or rewriting of the biometric code implementation could also address inherent architectural weaknesses. Due to the complexity, researchers believe a simple patch is unlikely, and fixing this flaw may require significant redesign of biometric data handling.
In the meantime, researchers recommend disabling biometric functions on vulnerable devices, using Windows Hello without ESS, and defaulting to PIN-based login methods for business users.
Here's a summary of the key aspects:
| Aspect | Description | |---------------------------|---------------------------------------------------------------| | Flaw Type | Code injection enabling biometric data injection | | Attack Prerequisite | Local admin access or malware | | Target | Windows Biometric Service, CryptProtectData encryption | | Microsoft Mitigation | Enhanced Sign-in Security (ESS) with hypervisor VTL1 | | Hardware Requirement | ESS requires specific hardware, often Intel-based | | Potential Fixes | TPM storage for biometrics, code rewrite, disabling biometrics | | Interim Recommendation | Use PIN login, disable biometric on vulnerable setups |
This vulnerability underscores the importance of secure data storage mechanisms and proper hardware support when implementing biometric systems. The researchers stated that fixing the flaw would require a significant code rewrite or the use of the TPM module, which might not be possible. They also recommended disabling biometrics and using a PIN for logging in if using Hello for Business without ESS. Microsoft did not immediately respond to inquiries about the findings.
- The code injection attack demonstrated at the Black Hat conference can manipulate the Windows Biometric Service database, bypassing biometric authentication and recognizing any face or fingerprint provided.
- Microsoft's Enhanced Sign-in Security (ESS) can mitigate this attack by protecting biometric data at a hardware-protected level, but many devices lack the required hardware.
- To address this vulnerability, researchers recommend storing biometric data securely using the Trusted Platform Module (TPM), which can provide hardware-backed security for biometric keys.
- The researchers also suggest a major overhaul or rewriting of the biometric code implementation to fix inherent architectural weaknesses, as a simple patch is unlikely due to complexity.
