Home > Information > Blog > Show blog article
Show blog article
19.09.2022
Reset Windows Password v12.1
USB and Recycle Bin history viewers, Windows Hello PIN dumper, update of the DPAPI recovery module
02.09.2022
New blog post
quite a bit about Windows Hello biometrics
23.08.2022
Windows Password Recovery v15.0
A big update of the DPAPI recovery module, support for Windows cloud accounts and much more
19.07.2022
Reset Windows Password v12.0
Windows media forensic tools and improved interface

Articles and video

You may find it helpful to read our articles on Windows security and password recovery examples. Video section contains a number of movies about our programs in action

Implementation flaw in Windows Hello biometrics

10:09:02 02.09.2022 posted by Passcape_Admin at 10:09:02 02.09.2022

Brief overview
OSes affected
What is Windows Hello biometrics?
What is DPAPI?
Description of the mis-implementation in Windows Hello biometric authentication
What data is at risk?
PoC
Conclusion

This article is available in PDF format, and Russian version


 

 

Brief overview

Using Windows Hello biometric authentication compromises all personal data encrypted with DPAPI.

 

OSes affected

If the TPM protection is not set, all versions of Windows 10 and 11 are affected, all local accounts, as well as Microsoft and Azure AD ones.
 
 

What is Windows Hello biometrics?

Unlike a common password authentication, Windows Hello biometrics is a new, easy and supposedly safer way to sign into Windows using your unique physical characteristics. The Windows Hello was first introduced in Windows 10 and included fingerprint and face recognition technology.

The Windows Hello allows users to securely log into devices that have the necessary hardware components without having to type a password. You will have to work hard to forget or alter your biometric data, because it's an integral part of your personal identity. Moreover, the biometric authentication, either facial recognition or fingerprint scanning, is more convenient and faster compared to the process of typing a password.
 
 

What is DPAPI?

Data Protection Application Programming Interface is a primary data protection subsystem in all Windows Operating System since Win2K. DPAPI is used both by applications to protect their private information against the prying eyes and by the system to keep your personal data safe and secure. Such as network passwords, digital certificates and private encryption keys, authentication tokens, etc. If you want to deep down into the way the DPAPI works, refer to our blog-post dedicated to DPAPI algorithms and principles.
 
 

Description of the mis-implementation in Windows Hello biometric authentication

Windows 10 - 11 DPAPI implementation is fully compatible with Windows Hello biometric authentication. So it's possible, besides using your logon password, to decrypt any DPAPI-protected data directly with a fingerprint or a facial recognition. The problem is that neither a fingerprinting nor a facial recognition is required to do that, since the user profile directly stores everything necessary for the successful decryption. Assuming that the appropriate authentication method has been configured for the user account previously.
 
 

What data is at risk?

All DPAPI-protected data is at risk as soon as all the following conditions are met:

- The source operating system is Microsoft Windows 10 or higher;
- The user account type is local, Microsoft, or Azure AD;
- The user account is configured to log in using Windows Hello biometrics;
- The TPM protection is off;

Some examples of the personal data protected by DPAPI
  • Passwords to websites, cookies and credit cards stored by the popular browsers: Google Chrome, Microsoft Edge, Opera browser, etc.
  • Passwords for some popular e-mail clients. Such as Microsoft Office Outlook, Windows Mail. Encryption keys for S-MIME.
  • Credentials to shared resources.
  • Encryption keys and passwords stored in Windows Vault.
  • Remote Desktop credentials.
  • EFS encryption keys.
  • Users' personal certificates.
  • Network credentials stored in Credential Manager. Including authentication tokens and other private information.
  • Personal data in any application that uses DPAPI, such as Skype, Windows Rights Management Services, Windows Media and so on.
 

PoC

Here's a step-by-step instruction on how to decrypt a DPAPI blob without knowing the user logon password.

Attach an external disk drive with the biometric account to your PC. In the case of a virtual disk, make sure it has read-write permissions. Otherwise, the program will not be able to extract any data from Windows Hello protected directories. On the screenshots below, the system assigned letter F: for the externally connected drive.

Run the Windows Password Recovery, locate the menu 'Utils', and then 'DPAPI decoder and analyzer -> Decrypt DPAPI data blob'

Provide the path to the DPAPI blob you need to decrypt and to the Windows directory.
Path to the DPAPI blob and Windows directory

In the next dialog, specify the path to the master key. All user's master keys live in %USER_PROFILE%\AppData\Roaming\Microsoft\Protect folder.
Path to the master key file

Now select the 'Password-less' and click the 'Next' button to finalize the decryption.
Password-less decryption

DPAPI blob decrypted without password


 

Conclusion

Despite all Microsoft's assurances about the safety of the biometric authentication, we see that this is not quite true, to put it mildly.

If your account uses a biometric authentication with the TPM protection set off, be extremely careful. All your personal data is at potential risk!

To protect your personal information, consider setting on a full disk encryption, turning the TPM protection (of course, if your hardware supports it) or stop using the biometric authentication at all.



 
 
Rating
Current rating RatingRatingRatingRatingRating
Avarage rating Ø 10.00
Number of votes 1
Your vote Rate this message: 1Rate this message: 2Rate this message: 3Rate this message: 4Rate this message: 5Rate this message: 6Rate this message: 7Rate this message: 8Rate this message: 9Rate this message: 10

Comments

There are no comments existing at the moment.
Add comment

Spamprotection