Unveiled: Windows Security Evasion Technique - Cybercriminals Employ Own Facial Appearances as Decoy
In a recent demonstration at the Black Hat hacking conference in Las Vegas, security researchers Dr Baptiste David and Tillmann Osswald from ERNW Research showed that the business version of Windows Hello can be compromised by someone with local admin credentials. The vulnerability, which has received an urgent security warning (CVE-2025-53786), allows for encryption to be broken, providing local admin privileges.
The vulnerability is related to the way Windows Hello uses a cryptographic key stored in a database linked to the Windows Biometric Service. Researchers demonstrated that this key can be broken using information accessible to a local admin, allowing them to inject fake biometric data that the system will accept without further verification, effectively impersonating any user.
Microsoft appreciates the work of ERNW in identifying and responsibly reporting the vulnerability. The company has stated that the scenarios described require an attacker to have obtained prior administrative access to a target system.
To strengthen Windows Hello facial recognition security, Microsoft's Enhanced Sign-in Security (ESS) can be enabled. ESS operates at the hypervisor virtual trust level (VTL1) to protect biometric data storage and prevent the injection of unauthorized biometric templates. However, ESS is not supported on all machines.
When ESS is unavailable, the next best mitigation is to disable biometrics and use stronger authentication factors like PIN or passkeys, which are less vulnerable to local admin attacks. Microsoft is promoting these methods as more secure and passwordless.
For systems without ESS support, it is recommended to disable Windows Hello biometrics entirely and revert to PIN or passkeys. Additionally, strong local admin password policies and account lockout policies should be enforced to limit brute force risks on high-privilege accounts. Multi-factor authentication solutions, such as Duo, can provide an added verification layer on top of Windows credentials to protect against compromised admin credentials.
Other best practices include keeping Windows 10 or 11 systems updated to apply the latest security patches related to Windows Hello and authentication. Using hardware with TPM and Infra-red webcams designed for secure biometrics is also advisable. IT administrators should be trained to audit local admin privileges closely, as local admin access is the main vector for bypass.
In summary, the strongest security posture involves applying ESS where available; and where not, disabling biometric sign-in methods in favor of PIN, passkeys, and two-factor authentication, while tightly controlling local admin access. The demonstration did not involve any user data compromise or hacking of Google, or any airline data breaches mentioned in the article.
- The demonstration at the Black Hat hacking conference highlighted the potential risk of hackers bypassing Windows Hello's facial recognition security through a local admin attack, which could allow them to inject fake biometric data and impersonate any user.
- When the Enhanced Sign-in Security (ESS) isn't available, it's advisable to disable Windows Hello biometrics and opt for stronger authentication factors like PIN or passkeys, as they are less vulnerable to local admin attacks and promote a more secure and passwordless environment.
