- Attacker can decrypt and alter the biometric data used to verify user identities, bypassing authentication protocols designed to protect sensitive systems and data.
- Absence of an external entropy source to generate cryptographic keys further weakens the system’s defenses.
The security of biometric authentication systems is paramount in safeguarding sensitive information, yet research reveals critical vulnerabilities within Windows Hello for Business.
The system, designed to authenticate users via facial recognition and other biometric data, harbours an architectural flaw that undermines its intended security.
Researchers at ERNW have demonstrated that hackers with administrative access can manipulate biometric templates stored locally on Windows machines, effectively “swapping faces” to gain unauthorised access.
The attack vector requires the adversary to first penetrate an organization’s network and escalate privileges to the local administrator level on a compromised device.
With these capabilities, the attacker can decrypt and alter the biometric data used to verify user identities, bypassing authentication protocols designed to protect sensitive systems and data.
Threat to network security
The manipulation enables malicious actors not only to deny legitimate users access but also to impersonate IT personnel or domain administrators, posing a significant threat to network security.
Fundamentally, the flaw arises because biometric templates, though encrypted, are stored alongside all necessary decryption information within the same system. This approach affords an administrative attacker the capability to fully access and modify the templates.
The absence of an external entropy source to generate cryptographic keys further weakens the system’s defenses. Consequently, an intruder with physical or network access can move laterally inside the corporate environment, compromising additional assets.
Despite notifying Microsoft, researchers express scepticism regarding any forthcoming resolution due to the profound architectural overhaul such a fix would entail.
Currently, the only viable long-term remedy involves incorporating user-specific biometric data as cryptographic entropy, a fundamental redesign aimed at strengthening the linkage between biometric identification and authentication.
Discover more from TechChannel News
Subscribe to get the latest posts sent to your email.
