-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Advisory ID: SYSS-2017-027 Product: Microsoft Windows Hello Face Authentication Manufacturer: Microsoft Affected Version(s): Windows 10 Pro (Version 1709, OS Build 16299.19) Windows 10 Pro (Version 1703, OS Build 15063.726) Windows 10 Pro (Version 1703, OS Build 15063.674) Windows 10 Pro (Version 1703, OS Build 15063.483) Windows 10 Pro (Version 1607, OS Build 14393.1914) Windows 10 Pro (Version 1607, OS Build 14393.1770) Windows 10 Pro (Version 1511, OS Build 10586.1232) Tested Version(s): Windows 10 Pro (Version 1709, OS Build 16299.19) Windows 10 Pro (Version 1703, OS Build 15063.726) Windows 10 Pro (Version 1703, OS Build 15063.674) Windows 10 Pro (Version 1703, OS Build 15063.483) Windows 10 Pro (Version 1607, OS Build 14393.1914) Windows 10 Pro (Version 1607, OS Build 14393.1770) Windows 10 Pro (Version 1511, OS Build 10586.1232) Vulnerability Type: Authentication Bypass by Spoofing (CWE-290) Risk Level: High Solution Status: Fixed on Windows 10 branches 1703 and 1709 with enabled "enhanced anti-spoofing" feature Manufacturer Notification: 2017-10-20 Solution Date: 2017-12-18 Public Disclosure: 2017-12-18 CVE Reference: Not yet assigned Authors of Advisory: Matthias Deeg and Philipp Buchegger (SySS GmbH) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Overview: Microsoft Windows 10 offers a biometric authentication mechanism using "near infrared" face recognition technology with specific Windows Hello compatible cameras. The manufacturer Microsoft describes the face authentication feature as follows (see [1]): "Microsoft face authentication in Windows 10 is an enterprise-grade identity verification mechanism that's integrated into the Windows Biometric Framework (WBF) as a core Microsoft Windows component called Windows Hello. Windows Hello face authentication utilizes a camera specially configured for near infrared (IR) imaging to authenticate and unlock Windows devices as well as unlock your Microsoft Passport." Further information about how Windows Hello works and its metrics concerning false acceptance rate (FAR) and false rejection rate (FRR) can also be found on the Microsoft website (see [2]). Due to an insecure implementation of the biometric face recognition in some Windows 10 versions, it is possible to bypass the Windows Hello face authentication via a simple spoofing attack using a modified printed photo of an authorized person. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vulnerability Details: SySS GmbH discovered that the Microsoft Windows Hello face authentication using near infrared cameras in some Windows 10 versions is vulnerable to simple spoofing attacks. By using a modified printed photo of an authorized user, an unauthorized attacker is able to log in to or unlock a locked Windows 10 system as this spoofed authorized user. Thus, by having access to a suitable photo of an authorized person (frontal face photo), Windows Hello face authentication can easily be bypassed with little effort, enabling unauthorized access to the Windows system. Both, the default Windows Hello configuration and Windows Hello with the enabled "enhanced anti-spoofing" feature on different Windows 10 versions are vulnerable to the described spoofing attack and can be bypassed. If "enhanced anti-spoofing" is enabled, depending on the targeted Windows 10 version, a slightly different modified photo with other attributes has to be used, but the additional effort for an attacker is negligible. In general, the simple spoofing attack is less reliable when the "enhanced anti-spoofing" feature is enabled. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Proof of Concept (PoC): SySS GmbH could successfully bypass the configured Windows Hello user authentication with face recognition on two Windows 10 systems using a modified printed photo (paper printout) of an authorized user. For example, the spoofing attack was performed against a laptop device (Dell Latitude E7470) running Windows 10 Pro (Version 1703) with a Windows Hello compatible webcam [3] and against a Microsoft Surface Pro 4 device [4] running Windows 10 Pro (Version 1607) with the built-in camera. Only the used Microsoft Surface Pro 4 device supported the "enhanced anti-spoofing" feature of Windows 10. The used LilBit USB IR camera only supported the default configuration and could not be used with the more secure face recognition settings. The default Windows Hello configuration could successfully be bypassed on both test devices with all tested Windows 10 versions. The more secure configuration with enabled "enhanced anti-spoofing" feature could only successfully be bypassed on the Windows 10 branches 1511 and 1607. Our first proof-of-concept video [6] demonstrates a successful attacks against Windows Hello Face Authentication on a Microsoft Surface Pro 4 with Windows 10 version 1607 and enabled "enhanced anti-spoofing" feature. Depending on the targeted Windows 10 version and the target device hardware configuration, slightly different modifications of the spoofing attack had to be used, for example photos with higher resolution (480x480 pixels instead of 340x340 pixels) or specially colored images. Our second proof-of-concept video [7] shows two variations of the spoofing attack utilizing different means. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: According to test results of SySS GmbH, the newer Windows 10 branches 1703 and 1709 [5] are not vulnerable to the described simple spoofing attack using a paper printout if the "enhanced anti-spoofing" feature is used with respective compatible hardware. SySS recommends to update to the latest revision of Windows 10 version 1709, to enable the "enhanced anti-spoofing" feature, and to reconfigure Windows Hello Face Authentication afterwards. If only the Windows 10 operating system is updated from a vulnerable version like 1607 to the latest revision of 1709 without newly setting up Windows Hello Face Authentication, the simple spoofing attack still works, as our third proof-of-concept video [8] illustrates. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclosure Timeline: 2017-10-20: Vulnerability reported to manufacturer 2017-10-20: Manufacturer acknowledges e-mail with SySS security advisory and asks for tested configuration 2017-10-25: E-mail to manufacturer answering open questions E-mail to manufacturer with updated security advisory 2017-10-26: E-mail from manufacturer with further questions 2017-10-27: E-mail to manufacturer answering open questions 2017-10-27: E-mail from manufacturer with further questions 2017-10-30: E-mail to manufacturer answering open questions and with updated security advisory 2017-11-17: E-mail to manufacturer with an updated security advisory 2017-11-28: E-mail from manufacturer requesting further information 2017-12-01: E-mail to manufacturer concerning further information 2017-12-11: E-mail to manufacturer with new test results and revised security advisory 2017-12-15: E-mail from manufacturer with further information 2017-12-15: E-mail to manufacturer with updated security advisory 2017-12-18: Public release of security advisory ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ References: [1] Website for Microsoft Windows Hello Face Authentication https://docs.microsoft.com/en-us/windows-hardware/design/device-experiences/windows-hello-face-authentication [2] Windows Hello Biometrics in the Enterprise https://docs.microsoft.com/en-us/windows/access-protection/hello-for-business/hello-biometrics-in-enterprise [3] Amazon Link to Windows Hello compatible LilBit Face Tracking Camera https://www.amazon.de/LilBit-Gesichtserkennung-Kamera-Windows-Schwarz/dp/B071R6ZV7Q/ref=sr_1_3?ie=UTF8&qid=1508435221&sr=8-3&keywords=windows+hello+webcam [4] Product website for Microsoft Surface Devices https://www.microsoft.com/en-us/surface [5] Windows 10 Release Information https://technet.microsoft.com/en-us/windows/release-info.aspx [6] SySS Proof-of-Concept Video, Biometricks: Windows Hello Face Authentication Bypass PoC I https://www.youtube.com/watch?v=Qq8WqLxSkGs [7] SySS Proof-of-Concept Video, Biometricks: Windows Hello Face Authentication Bypass PoC II https://www.youtube.com/watch?v=GVKKcoOZHwk [8] SySS Proof-of-Concept Video, Biometricks: Windows Hello Face Authentication Bypass PoC III https://www.youtube.com/watch?v=cayqU3WCOso [9] SySS Security Advisory SYSS-2017-027 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2017-027.txt [10] SySS Responsible Disclosure Policy https://www.syss.de/en/responsible-disclosure-policy/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Credits: This security vulnerability was found by Matthias Deeg and Philipp Buchegger of SySS GmbH. E-Mail: matthias.deeg (at) syss.de Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Matthias_Deeg.asc Key fingerprint = D1F0 A035 F06C E675 CDB9 0514 D9A4 BF6A 34AD 4DAB E-Mail: philipp.buchegger (at) syss.de Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Philipp_Buchegger.asc Key fingerprint = 489F 34EE FA88 27DE 69A0 756B 0658 09F0 BB67 47E8 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclaimer: The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the SySS Web site. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Copyright: Creative Commons - Attribution (by) - Version 3.0 URL: http://creativecommons.org/licenses/by/3.0/deed.en -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE4TVOI2CRqFyeFFd6KN+zpwqYqdQFAlozrjsACgkQKN+zpwqY qdQZ3g/+OuccpwZkyryzd/AN+BVkXJ+TyL81fRgtgyegXbL+nAuxHclTxQLV90dW o7ofYWnN0144MSyQmpo7zIrzvyLTaWnuKOPaUAb3oMg8PVuAbR1W1UUqsGuxplwk wWmbfF1QoBTSOvgGC1Ey/e7J2fDuKtNk8yDQxu5cEJI/pM6tdYUjP6E6z1pwnNlE b6LwZZXSCJUc5LiStV28XcOnDzcqqiOVUCanOCBPHQ1metYl8LqGPiMHZMlA0x/E v+HbcFSlBTr6aWX22Vh7JeikZkOPp5MEUBtqE3uCnnflS9npmluJawC/PEDaKbd9 1aOBki1xIbtO60kQ3NGdVKkqz4pleJO9NJvVYOgdk34/MNgUTX0++6p8D1pU7VBm o0yKPSzF9Zt3yzEHGHbw6WV62CJ+nLZQwk1dhyXyIIjIWn601UloCwiSP2iQBIJD isi+K+6F5b9dRCWRQM6aO2fajr6zRboqT4oGUShTZ1saDEiMAExwYiFmcpiKW6Mn ZvKIr8jnf5mGqQNHbPotbo1AbScnqmv9/+2I8heHJ2PhMYu+w0wvUcmnoAShJpxt +FBZHQP+HXEMj1blUR30eX5ptZr5ajhd1jheAhh2ZMVRsm6jm2Of7rTmcc/qrfu0 p6B75XSAAr2LLYUw8hNbNiVcnJMxJslzviV8aDBreoFLrbfsNuM= =hWgD -----END PGP SIGNATURE-----
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/