![]() Watch that a new July patch starts installing.Windows Settings > Updates & Security > Windows Update.To download the latest Windows 10 patches, users should follow these steps: Consequently, I would expect to see further attempts to exploit this vulnerability in future. While Windows Hello remains a fast and convenient way to secure access to a Windows 10 computer, CyberArk's research shows that its security is far from watertight. ![]() ![]() "It is possible that, in future, if (for instance) Windows were ever to allow remote authentication with face recognition, even the need to be able to access a user machine will not be necessary it becomes potentially possible to exploit this attack remotely, which will increase the attack risk substantially.” " Microsoft has limited the issue to an extent, but the concept remains a serious one as it exposes a new attack vector to any biometric authentication that relies on input from an external USB device," Tsarfati explains. This issue can only be fully fixed by creating trust between the camera and the OS, but this requires the camera hardware and software to support this.”Īll of which creates an inherent problem for Windows 10 users: "It makes Windows Hello trust the camera input without any ability to verify the authenticity of the data, which we demonstrated in our research. USB devices are not designed to offer a validation mechanism, and this means that most USB devices can be spoofed this creates an inherent issue in Windows Hello," explained Omer Tsarfati, CyberArk Security Researcher in a statement to me. “Windows Hello uses a USB camera to get the input for face recognition-based authentication. This suggests we can expect further hacks of Windows Hello in future.Ġ7/16 Update: CyberArk has contacted me to warn that the patch Microsoft issued cannot fully mitigate the flaws it has found in the Windows Hello system. “Our findings show that any USB device can be cloned, and any USB device can impersonate any other USB device… The OS cannot validate such a device’s authenticity, at least not according to the USB specification,” states CyberArk Labs, the security research team which discovered the bug.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |