Windows Hello is a security feature built into Windows 10 that provides numerous authentication solutions. The idea is to remove the reliance on passwords – something Microsoft is big on at the moment – through more robust security measures. However, not even Windows Hello is infallible in the world of consistent cyber threats.
And hackers have proved just that by bypassing Windows Hello security through a fake USB camera. Specifically, threat actors took infra-red images of targets and transmitted them through Windows Hello. Microsoft's security accepted the images as authentication.
At the core of this problem is Windows Hello seemingly accepts just about any Infra red camera as a compatible camera. This means a hacker can manipulate the data and trick Hello by capturing the target PC in an IR image.
Worse is it is relatively easy to do, with just two frames of the PC – a blank frame and IR capture frame – to bypass the service. The method was disclosed by CyberArk, which points out capturing the IR image from a PC is the only obstacle an attacker would need to overcome. This could be achieved by a long-range IR camera or hiding cameras close to a machine.
Still, it is worth pointing out the attacker would need some kind of environmental access to the system they want to attack.
Microsoft has confirmed the vulnerability and assigned it in advisory CVE-2021-34466. The company says using Windows Hello Enhanced Sign-in Security is a workaround for the problem. However, this means only Windows Hello cameras on the cryptographic chain of trust from OEMs can be used. As you might expect, that is not all Windows Hello cameras.
Tip of the day: If your PC keeps connecting to the wrong WiFi network, you can set WiFi priority to avoid the need to manually select access points over and over again.