Microsoft fixes serious Windows Hello security flaw

July Patch Tuesday mitigates Windows Hello bypass vulnerability

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

Cybersecurityexperts have shared a proof-of-concept to bypass theWindows Hellobiometric authentication system.

Threat actors can exploit the bypass, demonstrated byidentity and access management (IAM)vendor CyberArk, to access an organization’s sensitive data by impersonating a privileged account.

Leaning onofficial figuresfromMicrosoftthat suggest that over 84% ofWindows 10users sign-in to their devices using Windows Hello, CyberArk argues that the bypass poses a grave security risk for businesses transitioning to password-less authentication.

We’re looking at how our readers use VPNs with streaming sites like Netflix so we can improve our content and offer better advice. This survey won’t take more than 60 seconds of your time, and you can also choose to enter the prize draw to win a $100 Amazon voucher or one of five 1-year ExpressVPN subscriptions.

Click here to start the survey in a new window«

“While our research was specific to Windows Hello and more so the enterprise offering, Windows Hello for Business, it’s important to note that potentially any authentication system that allows a pluggable third-partyUSB camerato act as biometric sensor could be susceptible to this attack without proper mitigation,”writesCyberArk’s Security Researcher, Omer Tsarfati.

Targeted attacks

Targeted attacks

The exploit, which CyberArk likens to the one used by Tom Cruise in hit filmMinority Report, involves using a custom USB device to steal an infrared image of the target’s face they want to impersonate.

The criminal can then use this image to compromise any facial recognition product which relies on a USB camera, such as Windows Hello.

CyberArk responsibly disclosed the issue to Microsoft, who fixed it as part of its July Patch Tuesday update.

Are you a pro? Subscribe to our newsletter

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

However, based on preliminary testing, CyberArk researchers believe that while the mitigation does limit the attack surface, it relies on users having specific cameras.

“Inherent to system design, implicit trust of input from peripheral devices remains. To mitigate this inherent trust issue more comprehensively, the host should validate the integrity of the biometric authentication device before trusting it,“ says Tsarfati.

With almost two decades of writing and reporting on Linux, Mayank Sharma would like everyone to think he’sTechRadar Pro’sexpert on the topic. Of course, he’s just as interested in other computing topics, particularly cybersecurity, cloud, containers, and coding.

Cisco issues patch to fix serious flaw allowing possible industrial systems takeover

Washington state court systems taken offline following cyberattack

Lenovo ThinkPad T14s Gen 6 review