Microsoft HoloLens Denial-of-Service Vulnerability via Device Portal Pairing API

A denial-of-service vulnerability has been identified in Microsoft HoloLens 1 (Windows Holographic) versions prior to 10.0.17763.3046 and HoloLens 2 (Windows Holographic) versions prior to 10.0.22621.1244. The issue arises in the pairing API request handler, which is part of the Device Portal framework. Remote attackers can exploit this vulnerability by sending a high volume of pairing requests through the Device Portal, leading to resource exhaustion and making the device unresponsive to legitimate user commands.

Impact

Exploitation of this vulnerability causes the HoloLens device to become unresponsive, overlaying a pairing PIN request that disrupts normal user activities. The device may overheat due to CPU overload from processing the excessive requests, and even restarting the device does not stop the attack as long as the IP address remains unchanged.

Reproduction

The vulnerability can be reproduced by connecting to the same network as the target HoloLens device. Once the Device Portal is accessed via the device's IP address, a script can be deployed to repeatedly send pairing requests to the API. This process can be automated using Windows PowerShell, scheduling the script to run at startup. The attack effectively overloads the device's CPU, causing it to overheat and become unresponsive to user inputs.

Remediation

It is recommended to implement restrictions at the API level on pairing requests from specific IP addresses and to limit the total number of requests that can be made within a short timeframe.