Researchers have identified a significant vulnerability in Microsoft’s Hello biometrics system, enabling local admin users to inject and manipulate biometric data for unauthorized access. The Hello system relies on a cryptographic key stored within a database linked to Windows Biometric Service. While Enhanced Sign-in Security (ESS) offers robust protection against this vulnerability, not all devices can utilize it due to compatibility issues with hardware. A live demonstration showcased this flaw, highlighting the ease with which an attacker could access secured systems using counterfeit biometric identifiers. Resolving this issue may demand an extensive code overhaul or alternative biometric data storage solutions.
Dr Baptiste David demonstrated a critical flaw in Windows Hello which allows local administrators to inject biometric information, compromising security and enabling unauthorized access.
The team found that despite Microsoft’s Enhanced Sign-in Security (ESS) being effective, many PCs do not support it due to hardware limitations, leaving users vulnerable.
A demonstration showed that using a simple code, one could unlock another person's machine by integrating a facial scan from a different device into the Hello database.
Fixing the vulnerability may necessitate a substantial code rewrite or employing TPM modules for better biometric data storage, presenting significant challenges for Microsoft.
Collection
[
|
...
]