New Delhi: The Windows Hello security feature, which allows users to enter Windows-powered devices without using a password, may not be very safe.
It was recently requested to assess the safety of the three most popular fingerprint sensors used in laptops by Microsoft’s Offensive Research and Security Engineering (MORSE), as stated in a blog post by Blackwing Intelligence. As a result, several security holes were found that might enable an attacker to fully circumvent Windows Hello Authentication.
Three laptops—Dell Inspiron 15, Lenovo ThinkPad T14, and Microsoft Surface Pro Type Cover with Fingerprint ID—served as the subjects of the experiment.
Jesse D’Aguanno and Timo Teräs of Blackwing hacked the laptops’ inbuilt fingerprint sensors, which were manufactured by Goodix, ELAN, and Synaptics.
https://t.co/u7t0njcSwF – Researchers find vulnerabilities in Windows Hello’s fingerprint authentication system, allowing hackers to bypass security. Vulnerabilities affect laptops with Goodix, Synaptics, and ELAN fingerprint sensors. Dell Inspiron 15 and Microsoft Surface Pro …
— Xynik (@XynikIT) November 22, 2023
Windows Hello: A Handshake with Hackers
A major flaw has been discovered in the Windows Hello fingerprint authentication system, potentially affecting 85% of all Microsoft users. The security flaw was discovered by researchers at Blackwing Intelligence and has been found to… pic.twitter.com/EbwMzjHMEy
— Mark Angle (@AngleOfLogic) November 25, 2023
All the fingerprint sensors that were put through their paces were Match-on-Chip (MoC) sensors, which means that they each had their CPU and storage, enabling safe fingerprint matching right on the chip.
Although MoC sensors do a good job of preventing stored fingerprint data from being replayed to the host for matching, it is still possible for a malicious sensor to imitate a legal sensor’s connection with the host. Replaying previously seen communication between the host and sensor or giving the misleading impression of successful user authentication are also possible outcomes.
The Secure Device Connection Protocol (SDCP) was an attempt by Microsoft to prevent attacks that would have taken advantage of these vulnerabilities; it should have verified the fingerprint device’s trustworthiness and health and protected the data transmitted between the fingerprint device and the host on the devices in question.
Regardless, the security researchers were able to circumvent Windows Hello authentication on all three laptops by using man-in-the-middle (MiTM) attacks which relied on a bespoke Linux-powered Raspberry Pi 4 device.
Security researchers at Blackwing Intelligence discovered significant vulnerabilities in the fingerprint sensors of laptops from Dell, Lenovo, and Microsoft, compromising the Windows Hello fingerprint authentication system.
— TechLog360 (@techlog360) November 24, 2023
They utilised hardware and software reverse engineering to crack the Synaptics sensor’s unique TLS protocol’s cryptographic implementation defects and decipher and re-implement private protocols.
By impersonating a real Windows user and registering their fingerprint, an attacker may circumvent authentication on Dell and Lenovo laptops. This was made possible since the Synaptics sensor utilised a bespoke TLS stack instead of SDCP to encrypt USB traffic.
After removing the Type Cover that contained the fingerprint sensor from the Surface tablet, they were able to spoof the sensor and provide acceptable login replies. The real sensor on the device lacked authentication, utilised a cleartext USB connection, and was not protected by SDCP.
Windows Hello Fingerprint Tech is Hacked: Blackwing researchers bypass the authentication system https://t.co/FejxAhLR5V pic.twitter.com/wboAoyKFcj
— Shah Sheikh (@shah_sheikh) November 24, 2023
According to the researchers, device makers seem to misinterpret some of the goals, despite Microsoft’s excellent work in building SDCP to provide a secure connection between the host and biometric devices.
Most devices have a large attack surface that SDCP does not cover, and SDCP only covers a restricted portion of their function. After discovering SDCP disabled on two of three targeted laptops, Blackwing Intelligence advises biometric authentication suppliers to activate SDCP to prevent attacks.
