-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Advisory ID: SYSS-2017-027
Product: Microsoft Windows Hello Face Authentication
Manufacturer: Microsoft
Affected Version(s): Windows 10 Pro (Version 1709, OS Build 16299.19)
                     Windows 10 Pro (Version 1703, OS Build 15063.726)
                     Windows 10 Pro (Version 1703, OS Build 15063.674)
                     Windows 10 Pro (Version 1703, OS Build 15063.483)
                     Windows 10 Pro (Version 1607, OS Build 14393.1914)
                     Windows 10 Pro (Version 1607, OS Build 14393.1770)
                     Windows 10 Pro (Version 1511, OS Build 10586.1232)
Tested Version(s): Windows 10 Pro (Version 1709, OS Build 16299.19)
                   Windows 10 Pro (Version 1703, OS Build 15063.726)
                   Windows 10 Pro (Version 1703, OS Build 15063.674)
                   Windows 10 Pro (Version 1703, OS Build 15063.483)
                   Windows 10 Pro (Version 1607, OS Build 14393.1914)
                   Windows 10 Pro (Version 1607, OS Build 14393.1770)
                   Windows 10 Pro (Version 1511, OS Build 10586.1232)
Vulnerability Type: Authentication Bypass by Spoofing (CWE-290)
Risk Level: High
Solution Status: Fixed on Windows 10 branches 1703 and 1709 with
                 enabled "enhanced anti-spoofing" feature
Manufacturer Notification: 2017-10-20
Solution Date: 2017-12-18
Public Disclosure: 2017-12-18
CVE Reference: Not yet assigned
Authors of Advisory: Matthias Deeg and Philipp Buchegger (SySS GmbH)

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Overview:

Microsoft Windows 10 offers a biometric authentication mechanism
using "near infrared" face recognition technology with specific Windows
Hello compatible cameras.

The manufacturer Microsoft describes the face authentication feature as
follows (see [1]):

"Microsoft face authentication in Windows 10 is an enterprise-grade
identity verification mechanism that's integrated into the Windows
Biometric Framework (WBF) as a core Microsoft Windows component called
Windows Hello. Windows Hello face authentication utilizes a camera
specially configured for near infrared (IR) imaging to authenticate and
unlock Windows devices as well as unlock your Microsoft Passport."

Further information about how Windows Hello works and its metrics
concerning false acceptance rate (FAR) and false rejection rate (FRR)
can also be found on the Microsoft website (see [2]).

Due to an insecure implementation of the biometric face recognition in
some Windows 10 versions, it is possible to bypass the Windows Hello
face authentication via a simple spoofing attack using a modified
printed photo of an authorized person.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Vulnerability Details:

SySS GmbH discovered that the Microsoft Windows Hello face
authentication using near infrared cameras in some Windows 10 versions
is vulnerable to simple spoofing attacks.

By using a modified printed photo of an authorized user, an unauthorized
attacker is able to log in to or unlock a locked Windows 10 system as
this spoofed authorized user.

Thus, by having access to a suitable photo of an authorized person
(frontal face photo), Windows Hello face authentication can easily be
bypassed with little effort, enabling unauthorized access to the Windows
system.

Both, the default Windows Hello configuration and Windows Hello with
the enabled "enhanced anti-spoofing" feature on different Windows 10
versions are vulnerable to the described spoofing attack and can be
bypassed. If "enhanced anti-spoofing" is enabled, depending on the
targeted Windows 10 version, a slightly different modified photo with
other attributes has to be used, but the additional effort for an
attacker is negligible. In general, the simple spoofing attack is less
reliable when the "enhanced anti-spoofing" feature is enabled.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Proof of Concept (PoC):

SySS GmbH could successfully bypass the configured Windows Hello user
authentication with face recognition on two Windows 10 systems using a
modified printed photo (paper printout) of an authorized user.

For example, the spoofing attack was performed against a laptop device
(Dell Latitude E7470) running Windows 10 Pro (Version 1703) with a
Windows Hello compatible webcam [3] and against a Microsoft Surface
Pro 4 device [4] running Windows 10 Pro (Version 1607) with the built-in
camera.

Only the used Microsoft Surface Pro 4 device supported the "enhanced
anti-spoofing" feature of Windows 10. The used LilBit USB IR camera only
supported the default configuration and could not be used with the more
secure face recognition settings.

The default Windows Hello configuration could successfully be bypassed
on both test devices with all tested Windows 10 versions. The more
secure configuration with enabled "enhanced anti-spoofing" feature
could only successfully be bypassed on the Windows 10 branches 1511 and
1607.

Our first proof-of-concept video [6] demonstrates a successful attacks
against Windows Hello Face Authentication on a Microsoft Surface Pro 4
with Windows 10 version 1607 and enabled "enhanced anti-spoofing"
feature.

Depending on the targeted Windows 10 version and the target device
hardware configuration, slightly different modifications of the spoofing
attack had to be used, for example photos with higher resolution
(480x480 pixels instead of 340x340 pixels) or specially colored images.

Our second proof-of-concept video [7] shows two variations of the
spoofing attack utilizing different means.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Solution:

According to test results of SySS GmbH, the newer Windows 10 branches
1703 and 1709 [5] are not vulnerable to the described simple spoofing
attack using a paper printout if the "enhanced anti-spoofing" feature is
used with respective compatible hardware.

SySS recommends to update to the latest revision of Windows 10 version
1709, to enable the "enhanced anti-spoofing" feature, and to reconfigure
Windows Hello Face Authentication afterwards.

If only the Windows 10 operating system is updated from a vulnerable
version like 1607 to the latest revision of 1709 without newly setting up
Windows Hello Face Authentication, the simple spoofing attack still
works, as our third proof-of-concept video [8] illustrates.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclosure Timeline:

2017-10-20: Vulnerability reported to manufacturer
2017-10-20: Manufacturer acknowledges e-mail with SySS security advisory
            and asks for tested configuration
2017-10-25: E-mail to manufacturer answering open questions
            E-mail to manufacturer with updated security advisory
2017-10-26: E-mail from manufacturer with further questions
2017-10-27: E-mail to manufacturer answering open questions
2017-10-27: E-mail from manufacturer with further questions
2017-10-30: E-mail to manufacturer answering open questions and with
            updated security advisory
2017-11-17: E-mail to manufacturer with an updated security advisory
2017-11-28: E-mail from manufacturer requesting further information
2017-12-01: E-mail to manufacturer concerning further information
2017-12-11: E-mail to manufacturer with new test results and revised
            security advisory
2017-12-15: E-mail from manufacturer with further information
2017-12-15: E-mail to manufacturer with updated security advisory
2017-12-18: Public release of security advisory

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

References:

[1]  Website for Microsoft Windows Hello Face Authentication

https://docs.microsoft.com/en-us/windows-hardware/design/device-experiences/windows-hello-face-authentication
[2]  Windows Hello Biometrics in the Enterprise

https://docs.microsoft.com/en-us/windows/access-protection/hello-for-business/hello-biometrics-in-enterprise
[3]  Amazon Link to Windows Hello compatible LilBit Face Tracking Camera

https://www.amazon.de/LilBit-Gesichtserkennung-Kamera-Windows-Schwarz/dp/B071R6ZV7Q/ref=sr_1_3?ie=UTF8&qid=1508435221&sr=8-3&keywords=windows+hello+webcam
[4]  Product website for Microsoft Surface Devices
     https://www.microsoft.com/en-us/surface
[5]  Windows 10 Release Information
     https://technet.microsoft.com/en-us/windows/release-info.aspx
[6]  SySS Proof-of-Concept Video, Biometricks: Windows Hello Face
Authentication Bypass PoC I
     https://www.youtube.com/watch?v=Qq8WqLxSkGs
[7]  SySS Proof-of-Concept Video, Biometricks: Windows Hello Face
Authentication Bypass PoC II
     https://www.youtube.com/watch?v=GVKKcoOZHwk
[8]  SySS Proof-of-Concept Video, Biometricks: Windows Hello Face
Authentication Bypass PoC III
     https://www.youtube.com/watch?v=cayqU3WCOso
[9]  SySS Security Advisory SYSS-2017-027

https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2017-027.txt
[10] SySS Responsible Disclosure Policy
     https://www.syss.de/en/responsible-disclosure-policy/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Credits:

This security vulnerability was found by Matthias Deeg and Philipp
Buchegger of SySS GmbH.

E-Mail: matthias.deeg (at) syss.de
Public Key:
https://www.syss.de/fileadmin/dokumente/PGPKeys/Matthias_Deeg.asc
Key fingerprint = D1F0 A035 F06C E675 CDB9 0514 D9A4 BF6A 34AD 4DAB

E-Mail: philipp.buchegger (at) syss.de
Public Key:
https://www.syss.de/fileadmin/dokumente/PGPKeys/Philipp_Buchegger.asc
Key fingerprint = 489F 34EE FA88 27DE 69A0 756B 0658 09F0 BB67 47E8

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclaimer:

The information provided in this security advisory is provided "as is"
and without warranty of any kind. Details of this security advisory may
be updated in order to provide as accurate information as possible. The
latest version of this security advisory is available on the SySS Web
site.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Copyright:

Creative Commons - Attribution (by) - Version 3.0
URL: http://creativecommons.org/licenses/by/3.0/deed.en

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE4TVOI2CRqFyeFFd6KN+zpwqYqdQFAlozrjsACgkQKN+zpwqY
qdQZ3g/+OuccpwZkyryzd/AN+BVkXJ+TyL81fRgtgyegXbL+nAuxHclTxQLV90dW
o7ofYWnN0144MSyQmpo7zIrzvyLTaWnuKOPaUAb3oMg8PVuAbR1W1UUqsGuxplwk
wWmbfF1QoBTSOvgGC1Ey/e7J2fDuKtNk8yDQxu5cEJI/pM6tdYUjP6E6z1pwnNlE
b6LwZZXSCJUc5LiStV28XcOnDzcqqiOVUCanOCBPHQ1metYl8LqGPiMHZMlA0x/E
v+HbcFSlBTr6aWX22Vh7JeikZkOPp5MEUBtqE3uCnnflS9npmluJawC/PEDaKbd9
1aOBki1xIbtO60kQ3NGdVKkqz4pleJO9NJvVYOgdk34/MNgUTX0++6p8D1pU7VBm
o0yKPSzF9Zt3yzEHGHbw6WV62CJ+nLZQwk1dhyXyIIjIWn601UloCwiSP2iQBIJD
isi+K+6F5b9dRCWRQM6aO2fajr6zRboqT4oGUShTZ1saDEiMAExwYiFmcpiKW6Mn
ZvKIr8jnf5mGqQNHbPotbo1AbScnqmv9/+2I8heHJ2PhMYu+w0wvUcmnoAShJpxt
+FBZHQP+HXEMj1blUR30eX5ptZr5ajhd1jheAhh2ZMVRsm6jm2Of7rTmcc/qrfu0
p6B75XSAAr2LLYUw8hNbNiVcnJMxJslzviV8aDBreoFLrbfsNuM=
=hWgD
-----END PGP SIGNATURE-----