We are back from Black Hat USA, where we presented our research on Windows Hello for Business (Slides) once more. In the last two blog posts, we have discussed the architecture of WHfB and past attacks, as well as how the database works and how to swap identities in the database.
First, a few words regarding my experience at Black Hat: for me, it was the first time attending the conference and then directly as a speaker. I thoroughly enjoyed Black Hat. It took a while to get used to the size of the conference and the vibe of Las Vegas. What was especially interesting for me was connecting with other researchers. One thing that stood out was meeting with the team from MSRC and putting faces to the team itself. It feels way more personal to know who you’re talking to when you know the people handling your cases. During TROOPERS I typically have the chance to connect with many researchers, mainly from Europe. At Black Hat US, on the other hand, it is possible to connect more with the US scene and meet people you haven’t seen in a long time! Seeing familiar faces again is always nice, as opposed to putting them into your biometric template database. One nice detail was that some international researchers are aware of the research BSI (German: “Bundesamt für Sicherheit in der Informationstechnik” – “German federal office for IT security”) is facilitating. The results of our presentation stem from the “Windows Dissected” project we are performing on behalf of the BSI.
For Black Hat, we decided to focus more on initialization of the Biometric Service and less on its configuration as compared to our presentation at TROOPERS. Additionally, we have updated our tooling. In the past, we were able to decrypt and display all headers; now we can also decrypt and show the biometric template stored in the database. However, that’s not all; it’s now possible to dump or change the template.
This allows for a neat attack:
- An attacker enrolls their face with Windows Hello (for Business) on any machine. This does not need to be the machine where the template is later injected!
- The attacker decrypts this database and dumps their template.
- Now the attacker switches to the target machine. The victim is enrolled with a domain account and WHfB with their face.
- The (local administrative) attacker injects their previously created and dumped template into the template database for the targeted domain account.
- Finally, the attacker can now authenticate against the domain with this hijacked account using their face.
Cheers,
Till