Search This Blog

Showing posts with label Webcams. Show all posts

By Fooling a Webcam, Hackers were Able to get Past Windows Hello

 

Biometric authentication is a critical component of the IT industry's plan to eliminate the need for passwords. However, a new method for fooling Microsoft's Windows Hello facial recognition technology demonstrates that a little hardware tinkering can make the system unlock when it shouldn't.

Face-recognition authentication has become more prevalent in recent years thanks to services like Apple's FaceID, with Windows Hello driving usage even further. Face recognition by Hello is compatible with a variety of third-party webcams. 

Only webcams having an infrared sensor in addition to the conventional RGB sensor operate with Windows Hello facial recognition. However, it turns out that the system doesn't even look at RGB data. The researchers discovered that by using a single straight-on infrared image of a target's face and a black frame, they were able to open the victim's Windows Hello–protected device. The researchers were able to fool Windows Hello into thinking the device owner's face was there and unlocking by manipulating a USB webcam to produce an attacker-chosen image. 

“We tried to find the weakest point in the facial recognition and what would be the most interesting from the attacker’s perspective, the most approachable option,” says Omer Tsarfati, a researcher at the security firm CyberArk. “We created a full map of the Windows Hello facial-recognition flow and saw that the most convenient for an attacker would be to pretend to be the camera because the whole system is relying on this input.”

Microsoft dubbed the discovery a "Windows Hello security feature bypass vulnerability" and patched the problem on Tuesday. Furthermore, the company recommends that users use "Windows Hello enhanced sign-in security," which employs Microsoft's "virtualization-based security" to encrypt Windows Hello facial data and process it in a secure area of memory. 

Tsarfati, who will present the findings at the Black Hat security conference in Las Vegas next month, says the CyberArk team focused on Windows Hello's facial-recognition authentication because there has already been a lot of research into PIN cracking and fingerprint-sensor spoofing in the industry. 

He goes on to say that the team was attracted by a large number of Windows Hello users. Microsoft said in May 2020 that the service had over 150 million users. In December, Microsoft announced that 84.7 percent of Windows 10 users utilize Windows Hello to log in.

Adorcam Leaks Thousands of Webcam Accounts

 

A webcam application installed by a huge number of clients left an uncovered database loaded with client information on the internet without a password. The Elasticsearch database belonged to Adorcam, an application for viewing and controlling a few webcam models including Zeeporte and Umino cameras. Security researcher Justin Paine found the data exposure and reached Adorcam, which secured the database. Adorcam application is specially built for the P2P IP camera series. The clients just need to enter the camera ID and password to watch real-time video from any bought IP camera on their cell phone and no complicated IP or router settings are required. 

Paine said in a blog post shared, that the database contained around 124 million rows of information for the several thousand clients, and included live insights concerning the webcam —, for example, its location, whether the microphone was active, and the name of the WiFi network that the camera is connected to — and information about the webcam owner, such as email addresses. Paine additionally discovered proof of the camera uploading captured stills from the webcam to the application's cloud, however, he was unable to confirm since the links had expired. 

He likewise discovered hardcoded credentials in the database for the application's MQTT server, a lightweight messaging protocol often used in internet-connected devices. Paine didn't test the credentials (as doing so would be unlawful in the U.S.), yet alerted the application creator about the vulnerability, who at that point changed the password. Paine checked that the database was updated live by signing up with a new account and looking for his data in the database. Albeit the information was restricted in sensitivity, Paine cautioned that a malevolent hacker could create persuading phishing emails, or utilize the data for extortion. 

In his report on the matter, Paine pointed out that the data contained in the database distinguished between Adorcam's Chinese clients and its clients outside of China, saying, “One interesting detail about this database was that the user information was split between Chinese users and "abroad" users. For example: request_adorcam_cn_user vs. such as request_adorcam_abroad_user. Adorcam almost certainly has breach disclosure obligations based on what appeared to be a global user base. If they had users within the EU they absolutely have an obligation.”

Flaw in Zoom app could allow Mac webcams to be hacked

Jonathan Leitschuh, a US-based security researcher on Monday had publicly disclosed a major zero-day vulnerability in the Zoom video conferencing software. Leitschuh had demonstrated that any website can start a video-enabled call through the Zoom software on a Mac with the help of a web server which gets installed by the Zoom app.

According to a report by The Verge, the server accepts the requests which the regular would not. The report further says that even if you uninstall the Zoom software, the server will still remain and it can reinstall Zoom without the user’s choice. As per the findings by Leitschuh, the Zoom software can get hijacked by any website which can then force a Mac user to join a call along with an activated webcam even without their permission unless a specific setting is enabled.

On a Medium post published on Monday, Leitschuh gave a demonstration through a form of a link which after being clicked takes Mac users (currently using/or have used Zoom app before) to a conference room activating their webcams. He notes that this particular code can get embedded to any website and also on malicious ads or a phishing campaign.

Leitschuh further writes that even if Mac users uninstall the Zoom app, the local web server still remains and it will “happily re-install the Zoom client for you, without requiring any user interaction on your behalf besides visiting a webpage.”

The Verge in its report said that they tried the flaw themselves by using Leitschuh’s demo and were able to confirm that the issue does persist on clicking the link if Mac users have used the Zoom app and have not checked a particular checkbox in settings. The link auto joins the users to a conference call with the web camera on.

As per Leitschuh, he had contacted Zoom back on March 26 earlier this year and had said that he would disclose the exploit publicly in 90 days. According to him, Zoom does not seem to have done enough to resolve the problem. The particular vulnerability was also disclosed to both Chromium and Mozilla teams, however, because it is not an issue with their browsers, there is not much those developers can do about this.