Security questions—the annoying shared secrets used as a secondary form of authentication—have been around forever and are used by just about everyone to deal with users who forget their password. That’s starting to change as more enlightened services—most notably Google and Facebook—have recently phased out security questions after recognizing something then vice presidential candidate Sarah Palin learned the hard way in 2008: the answers are easy for hackers to guess.
Enter Microsoft, which earlier this year added a security questions feature to Windows 10. It allows users to set up a list of security questions that can be asked in the event they later forget a password to one of their administrative accounts. By answering questions such as “What was your first car?” the users can reset the forgotten password and regain control of the account. It didn’t take long for researchers to identify weaknesses in the newly introduced feature. They presented their findings today at the Black Hat Europe Security Conference in London.
“Durable, stealthy backdoor”
The problem, the researchers said, is that the password reset questions are too easy to set and too hard to monitor in networks made up of hundreds or thousands of computers. A single person with administrator credentials can remotely turn them on or change them on any Windows 10 machine and there’s no simple way for the changes to be monitored or changed. As a result, malicious users—say a rogue employee or a hacker who briefly gains unauthorized administrative control—can use the security questions as a backdoor that will secretly allow them to regain control should they ever lose it.
“Once an attacker is inside a compromised domain, each Windows 10 machine that he has network access and admin privileges to he can remotely change the security questions for administrative users on that machine and therefore create a very stealthy backdoor,” Magal Baz, a security researcher at Illusive Networks, told Ars in an interview. “He can choose any Windows 10 machine with the security questions feature and create this backdoor without executing his own code, simply with remote access to it, and create for himself this durable, stealthy backdoor.”
One technique for exploiting the feature is for someone with administrative control of a network to remotely “spray” security questions and corresponding answers across a fleet of Windows 10 machines. By knowing the answers, the attacker can ensure a persistent hold over the network.
The researchers also described a method for remotely accessing the password reset screen once security questions have been sprayed. By default, the password reset screen isn’t available through the Windows 10 remote desktop. But to make Windows 10 compatible with earlier Windows versions, the newer OS can be configured so that users can log on using the ordinary winlogon screen, and from there they can access the password reset option. After attackers have accessed the password reset screen and answered a previously set question to remotely take over a computer, they can revert back to the user’s original password to avoid leaving any signs of the remote compromise. They can do this using the Mimikatz tool to get the hash of the previous password.
When the researchers began looking into Windows 10 security questions, there was no tool that allowed administrators to access all Windows 10 machines in-network and check if security questions had been changed and to reset them if they had. The researchers went on to develop such an open source tool, which they are now releasing. Among other things, it allows admins to disable security questions remotely or to set answers to be something only they know, such as a nonsensical string of characters.
The researchers urged Microsoft to improve the nascent security questions feature, either by building a better monitoring capability directly into the OS or providing other changes that will make it less prone to abuse. When Ars asked Microsoft for comment, a spokesman sent the following response: “The described technique requires an attacker to already possess administrator access.”
The talk is titled “When Everyone’s Dog is Named Fluffy: Abusing the Brand New Security Questions in Windows 10 to Gain Domain-Wide Persistence.” Besides Baz, Tom Sela, who is head of research at Illusive Networks, also participated. They said their goal is to bring awareness to a feature that’s ripe for abuse.
“We’re not looking at a catastrophe, but a feature like that is creating a larger attack surface,” Baz said. “It creates more opportunities for creating persistence on machines. It’s creating an opportunity for attackers inside a compromised network. If it’s not mitigated there is a new blind spot that could be utilized by attackers.”