Microsoft Business Biometrics Face Rejection by German Security Experts
A critical vulnerability has been uncovered in Microsoft's Windows Hello for Business biometrics system, as demonstrated by researchers Baptiste David and Tillmann Osswald during a recent presentation. This flaw, if exploited, allows attackers with local administrator access to perform biometric injection attacks, effectively bypassing biometric authentication by injecting any face or fingerprint data into a targeted PC.
The research, funded by Germany's Federal Office for IT Security as part of a two-year research program called Windows Dissect, reveals weaknesses in the encryption of biometric data stored by the Windows Biometric Service, specifically involving the CryptProtectData software that secures the cryptographic keys.
The attack process involves breaking the encryption protecting the biometric data and code injection, allowing the attacker to manipulate what the system recognizes as valid biometric input. While Microsoft has an Enhanced Sign-in Security (ESS) feature that mitigates this attack by operating at a hypervisor virtual trust level (VTL1), not all PCs support ESS, leaving many vulnerable.
To mitigate this risk and secure authentication in business environments, the researchers recommend enabling ESS on all supported devices, disabling biometric authentication on devices without ESS support, storing biometric data within a Trusted Platform Module (TPM) where feasible, limiting local administrator access, and maintaining up-to-date security patches.
Microsoft has yet to respond to inquiries about the findings at the time of this article. The researchers also stated that fixing this issue would require a significant code rewrite or using the TPM module to store biometric data, which might not be possible. More revelations from the Windows Dissect research program are expected.
In summary, until Microsoft provides a robust patch or redesign, businesses should prioritize ESS-enabled devices and limit biometric usage on unsupported hardware as primary mitigation steps, combined with strict access controls to minimize exploitation risk.
- The ongoing research in the Windows Dissect program highlights the importance of robust cybersecurity measures in technology and business, particularly in dealing with sensitive data like biometric information.
- The encryption weaknesses exposed in Microsoft's Windows Biometric Service, as highlighted by Baptiste David and Tillmann Osswald, emphasize the need for secure storage methods like the Trusted Platform Module (TPM).
- As demonstrated by the recent vulnerability uncovered in Windows Hello for Business, the security of AI-driven technologies, such as biometrics, is crucial in the financial sector, where weaknesses can lead to significant data breaches.
- To ensure the security of their systems and financial transactions, businesses must consider implementing multi-layered defenses, including limiting local administrator access, enabling Enhanced Sign-in Security (ESS), and disabling biometric authentication on unsupported devices.
