Bypassing Windows Hello for Business and Pleasure

Conference:  BlackHat USA 2021



The presentation discusses the vulnerabilities of passwordless authentication mechanisms, particularly Windows Hello, and how attackers can bypass them using custom USB devices and infrared frames. The speaker recommends not relying on public factors for authentication and suggests mitigations.
  • Custom USB devices and infrared frames can be used to bypass passwordless authentication mechanisms like Windows Hello
  • Manipulating the biometric database in Windows can create a backdoor to user accounts
  • Fuzzing the database can extract relevant information to unlock the target device
  • The speaker recommends not relying on public factors for authentication and suggests mitigations
  • Microsoft is working on publishing an advisory to mitigate the attack vector
The attacker captures infrared frames of the victim and creates a custom USB device that tricks Windows into thinking the victim is in front of the computer. The USB device transmits the captured infrared to the computer, which logs the user in and gives the attacker access to sensitive data.


Windows Hello is the most popular password-less solution that includes authentication by either PIN code or biometric authentication. As a password-less technology, Windows Hello provides people with a more convenient authentication experience compared with the traditional password technique. In addition, it promises better security – but is it the truth? Would it make the lives of attackers harder or easier?In this talk, we'll introduce our research on attacking the face recognition mechanism of Windows Hello and show how an attacker can bypass Windows Hello using an external crafted USB device.Every biometric authentication process includes biometrics collection, preprocessing, liveness detection, and feature matching. Windows Hello is no different, and some processes apply to it as well, including an anti-spoofing mechanism to detect frauds and bypass attempts.We'll discuss how face recognition authentication works, how to trick the Windows Hello engine with a modified USB device, and how to capture the relevant picture frames for bypassing the login phase.In addition, we will see how our findings can affect other biometrical authentication across other devices and systems.Besides, we will overview the biometric system in Windows, how it is designed and what data can be interesting from the attacker's perspective and what defenders should do to prevent attackers' access.Finally, we will discuss how this knowledge can go to practical red team engagements.



Post a comment

Related work

Conference:  Defcon 31
Authors: Dr. Bramwell Brizendine Assistant Professor at University of Alabama in Huntsville, Shiva Shashank Kusuma Master's Student, University of Alabama in Huntsville

Conference:  Black Hat Asia
Authors: Rohan Aggarwal