A vulnerability in Microsoft’s Windows 10 password-free authentication system has been uncovered that could allow an attacker to spoof an image of a person’s face to trick the facial-recognition system and take control of a device. Windows Hello is a feature in Windows 10 that allows users to authenticate themselves without a password, using a PIN code or biometric identity—either a fingerprint or facial recognition—to access a device or machine. According to Microsoft, about 85 percent of Windows 10 users use the system. The Windows Hello bypass vulnerability, tracked as CVE-2021-34466, requires an attacker to have physical access to a device to exploit it, according to researchers at CyberArk Labs who discovered the flaw in March. From there, they can go on “to manipulate the authentication process by capturing or recreating a photo of the target’s face and subsequently plugging in a custom-made USB device to inject the spoofed images to the authenticating host,” Omer Tsarfati, cybersecurity researcher at CyberArk Labs, wrote in a report about the vulnerability published Tuesday. Further, exploitation of the bypass can extend beyond Windows Hello systems to “any authentication system that allows a pluggable third-party USB camera to act as biometric sensor,” Tsarfati noted. Researchers have no evidence that anyone has tried or used the attack in the wild, but someone with motive could potentially use it on a targeted victim, such as “a researcher, scientist, journalist,…
https://govanguard.com/wp-content/uploads/2018/04/Header_Logo.png 0 0 govanguard https://govanguard.com/wp-content/uploads/2018/04/Header_Logo.png govanguard2021-07-14 07:05:002021-07-14 07:05:00Windows Hello Bypass Fools Biometrics Safeguards
Our Standard Office Hours
Monday – Friday: 8:00AM – 5:00PM EDT
Saturday – Sunday: Closed
Where to Find Us
Data Privacy Notice
- – All product names, logos, and brands are property of their respective owners.
- – The use of these names, logos, and brands is for identification purposes only and does not imply endorsement.
- – Content syndication and aggregation of public information is solely for the purpose of identifying information security trends, all syndicated content contains source links to the content creator website. All content is owned by it’s respective content creators.
- – If you are an owner of some content and want it to be removed, please email email@example.com