Microsoft pushes Windows Hello authentication using biometrics or a Pin in Windows heavily. In fact, it may be quite difficult to set up Windows without setting at least a Pin for Windows Hello authentication. Microsoft claims that Windows Hello offers better protection compared to the traditional password that users use to sign in.
However, Windows Hello is not without flaws of its own. In 2023, security researchers managed to bypass Windows Hello fingerprint authentication. One year earlier, a bug caused Windows Hello sign ins to stop working after systems were upgraded to the then-latest version of Windows, version 22H2.
Two security researchers demonstrated another flaw in Windows Hello at the Black Hat conference in Las Vegas according to The Register. Dr Baptiste David and Tillmann Osswald from ERNW Research showed how a hacker can crack Windows Hello authentication.
The research-team demonstrated how a hacker could inject biometrical data into a Windows PC to unlock the system. They found a flaw in the CryptProtectData database, that secures authentication information. The flaw requires administrative access or some other form of elevated access to the system, e.g., via a malware infection.
How to protect your system against the attack
The researchers note that Windows PC users have two options to protect their devices against this specific attack.
- Windows Hello Enhanced Sign-In Security (ESS): if ESS is enabled, the hack is not possible. It is activated by default, provided that the PC meets all the requirements.
- Pin instead of biometrics: Switching to a Pin instead of using biometrics is another option, according to the researchers.
Enhanced Sign-In Security protects the face algorithm using VBS. This isolates it from the rest of Windows. System requirements include meeting all requirements for Virtualized-Based Security, TPM 2.0, device firmware with Secure Devices ACPI table, and Biometric sensor hardware and drivers that support / are compatible with ESS.
Not all systems support ESS as a consequence. The researchers told The Register that they purchased Thinkpads less than two years ago and that they did not support ESS as "they do not have a secure sensor for the camera because they use AMD chips and not Intel's".
The issue is going to be difficult to fix according to the researchers. It would require a "significant code rewrite" or other change, such as using TPM to store the biometric data.
Now You: how do you sign in to your Windows systems? Do you use a password or Windows Hello? Feel free to leave a comment down below.
Thank you for being a Ghacks reader. The post Security Researchers found a way to trick Windows Hello authentication, but there is a simple fix appeared first on gHacks Technology News.
0 Commentaires