Hackers inside a network can swap an admin’s biometric data with their own faces to unlock sensitive Windows systems. Researchers warn that the face recognition templates are protected by weaker security than the things they unlock.
ERNW researchers claim that Windows Hello for Business, a system that authenticates users with facial recognition or other biometric data, has an inherent architectural flaw.
Hackers can manipulate and swap the biometric templates stored in Windows, and then use their face to unlock systems and data that the templates were supposed to protect.
For the attack to work, the attackers need to gain access to a compromised computer inside the organization’s network, which is usually connected to the company’s domain. The hackers would also need to escalate their privileges to the local administrator.
These prerequisites would enable the attacker to tamper with the biometric templates used by Windows Hello to recognize users’ faces when logging in.
The hacker could deny access to legitimate users or “swap faces” and log in as IT staff or even a domain administrator using their own face.
“This architecture has some challenges. First, there is only a loose coupling between biometric identification and authentication. Additionally, there is no external entropy available to derive a cryptographic key at any point,” the researchers explain in the insinuator.net blog post.
While Windows encrypts the biometric templates, all information required to unlock them is kept inside the computer itself.
“An administrative attacker can decrypt this header and access all information stored inside, as well as manipulate it,” the researchers claim.
This also means that an attacker with hands on the machine can potentially unlock sensitive data, such as emails, files, and internal systems. Hackers can abuse access to move laterally across the network, targeting other computers.
This problem isn’t just theoretical: the researchers released proof-of-concept, relying on tools already built into Windows. They wanted to show how easy this attack can be.
“Two users are enrolled with Windows Hello for Business. At least one user is a domain user, and the other user is a local administrator,” the report reads.
“Our Proof of Concept now exchanges the Security Identifiers from each of the WINBIO_IDENTITY structures with one another. Now, the local administrative user’s face will unlock the domain user, and vice versa.”
The researchers notified Microsoft about the vulnerability. However, they do not expect the tech giant to address it because “similar issues have not been resolved in the past,” and it “would result in a massive overhaul of the system’s architecture.”
Why can attackers unlock Windows biometric templates and “swap faces?”
Windows stores biometric data in a database, which contains three elements: an encrypted header (via CryptProtectData) that holds keys for biometric templates, another unencrypted header version info, and the encrypted templates.
While CryptProtectData uses user passwords to derive secret keys, Windows biometric service runs on the system account NT SYSTEM\AUTHORITY, thus storing all the data required to derive the key in the system itself. Administrative attackers can decrypt the database to access and manipulate all the information stored inside.
To protect the system from face-swapping attackers, the only solution would be “to use the user’s biometrics as entropy,” requiring a major redesign of the system, according to the researchers.
Your email address will not be published. Required fields are markedmarked