Microsoft's business biometrics face rejection from German security specialists, who cautiously voice 'Windows Hell No' in response.
In a recent demonstration, researchers Baptiste David and Tillmann Osswald revealed a potential security flaw in Microsoft's Hello for Business biometric authentication system. The researchers showcased how they were able to bypass the security measures and gain unauthorised access to a Windows machine [1].
Microsoft's Enhanced Sign-in Security (ESS) is designed to protect the Windows Hello biometrics system by isolating biometric processing within a Virtualization-based Security (VBS) environment. This secure container, separate from the rest of Windows, uses the Trusted Platform Module (TPM) 2.0 to authorize key usage, preventing attacks such as injection, replay, and tampering on biometric data paths. However, the researchers were able to exploit a system that did not have ESS enabled, recommending the use of a PIN for logging in instead of biometrics [1].
The vulnerability was demonstrated when David logged into his machine using a facial scan. Osswald was then able to unlock the machine instantly by inserting a fake facial scan into the database. It is important to note that Microsoft did not respond to inquiries about the findings at the time of this article [1].
The ESS system depends on several hardware and firmware components, including a TPM 2.0 chip, Secure Boot enabled in firmware, a VBS-capable CPU, OEM-configured Secure Devices (SDEV) ACPI tables, and ESS-certified biometric sensors. Systems that do not support ESS, such as many business laptops up to 18 months old, may lack the required secure camera hardware or the OEM-specific firmware configuration. Furthermore, ESS currently blocks the use of external biometric peripherals until full ESS support for such devices becomes available [2][3][4].
Researchers have reported that some ThinkPads using AMD chips instead of Intel do not have ESS-compatible secure sensors, making ESS unavailable on those devices. Additionally, Microsoft plans to address the issue of external biometric devices without ESS support by late 2025 [2].
The architecture of the ESS system significantly raises the bar for attacks on Windows Hello biometric authentication, but it limits usage to PCs meeting strict hardware and firmware criteria [2][3][4]. The research was funded by Germany's Federal Office for IT Security as part of a two-year research program called Windows Dissect, which is set to conclude next spring.
More revelations from the Windows Dissect research program are expected. The researchers stated that fixing the flaw would require a significant code rewrite or the use of the TPM module to store biometric data, which might not be possible [1]. As the digital world continues to evolve, it is crucial to stay vigilant and address potential vulnerabilities to ensure the security of our systems.
References:
[1] ZDNet. (2022). Researchers reveal Windows Hello flaw that lets them bypass biometric security. [online] Available at: https://www.zdnet.com/article/researchers-reveal-windows-hello-flaw-that-lets-them-bypass-biometric-security/
[2] Microsoft. (2020). Enhanced sign-in security (ESS) for Windows Hello. [online] Available at: https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/ess-for-hello
[3] Microsoft. (2020). Virtualization-based security (VBS). [online] Available at: https://docs.microsoft.com/en-us/windows/security/information-protection/windows-information-protection/virtualization-based-security
[4] Microsoft. (2020). Trusted Platform Module (TPM) for Windows. [online] Available at: https://docs.microsoft.com/en-us/windows/security/information-protection/tpm/tpm-overview
- The potential security flaw in Microsoft's Hello for Business biometric authentication system, as demonstrated by Baptiste David and Tillmann Osswald, underscores the importance of cybersecurity in business technology, particularly in the field of finance.
- To address this vulnerability, Microsoft could consider implementing AI in their software, which could help identify and counter potential attacks on biometric data paths.
- The researchers' findings also emphasize the need for crypto solutions to ensure the security of sensitive data, as systems without Enhanced Sign-in Security (ESS) can be susceptible to attacks.
- As the digital world continues to advance, it is crucial to invest in technology that prioritizes system security, such as Microsoft's ESS system, to protect business interests and maintain consumer trust.
