Threat actors can exploit the bypass as shown by Identity and Access Management (IAM) CyberArk provider to access sensitive data of an organization by masquerading as a privileged account.
Lean on official numbers from Microsoft indicating that over 84% of the Windows 10 As users log into their devices using Windows Hello, CyberArk argues that bypassing is a serious security risk for organizations migrating to passwordless authentication.
We’re studying how our readers use VPNs with streaming sites like Netflix so we can improve our content and provide better advice. This survey will take no more than 60 seconds, and you can also enter the raffle to win a $ 100 Amazon voucher or one of five 1-year ExpressVPN subscriptions.
“While our research focused specifically on Windows Hello, and most importantly the Windows Hello for Business offering, it is important to note that potentially any authentication system that a pluggable third-party provider enables USB camera acting as a biometric sensor could be vulnerable to this attack without adequate defense. ” writes CyberArk’s security researcher, Omer Tsarfati.
The exploit CyberArk compares to Tom Cruise’s hit movie Minority report, involves using a custom USB device to steal an infrared image of the face of the target they are trying to impersonate.
The criminal can then use this image to compromise any facial recognition product that relies on a USB camera, such as a computer scanner. B. Windows Hello.
CyberArk has responsibly passed the issue on to Microsoft, which it fixed as part of its July update on Patch Tuesday.
However, based on preliminary tests, CyberArk researchers believe that defense, while limiting attack surface, relies on users having specific cameras.
“The system design has implicit trust in input from peripheral devices. To further mitigate this inherent trust problem, the host should validate the integrity of the biometric authentication device before trusting it, ”says Tsarfati.