CVE-2021-34466: Windows Hello Security Feature Bypass Vulnerability

Microsoft’s Windows Hello biometric verification is considered to have high security, such as infrared cameras and fingerprint recognition are usually not easy to forge.

Passing infrared camera certification usually requires a living body test, but the actual test found that Windows Hello is not as safe as Microsoft advertises.

The problem is that Windows Hello seems to be willing to accept any camera with infrared function as a verification camera, which allows hackers to tamper with the actual data stream.

Researchers use a special device to send two frames of data to Windows Hello, the first frame is the real infrared capture of the target user, and the second frame is a blank black frame.

The real infrared capture is used to obtain preliminary authentication, and the blank black frame is used to deceive the Windows Hello vitality detection mechanism to achieve the purpose of verification.

Facts have proved that this method is indeed feasible. Researchers can easily bypass Microsoft’s biometric verification and log in to various accounts using this method.

However, it is not easy to exploit this vulnerability in the real world. The main harm is that hackers can set up cameras around the target user to obtain photos.

Only when the target user is captured by an infrared-capable camera can the forged data be used to bypass the live detection and break Microsoft’s biometric authentication.

After the researchers notified Microsoft of the vulnerability, it has been confirmed by Microsoft. Microsoft said that the vulnerability CVE-2021-34466 will be fixed in a subsequent update.

In addition, Microsoft also provides a temporary solution for enhancing the security of biometrics, which can restrict the use of only cameras trusted by OEM manufacturers.