Researchers successfully bypass Windows Hello fingerprint authentication on Dell, Lenovo, and Microsoft laptops using a sophisticated ploy

Dell Latitude 9440 2-in-1
(Image credit: Windows Central)

What you need to know

  • A group of researchers has been able to bypass Windows Hello's fingerprint authentication.
  • The researchers made the discovery while running tests on Dell, Lenovo, and Microsoft laptops.
  • Goodix, Synaptics, and, ELAN fingerprint sensors were used as the basis for the research.
  • According to the researchers, they were able to bypass the security feature because Microsoft's SDCP protection wasn't enabled.
  • While Microsoft works on a way around this, the researchers recommend that users should enable SDCP protection.

A group of security researchers from Blackwing Intelligence have uncovered multiple vulnerabilities affecting the top three fingerprint sensors, which allowed them to bypass Windows Hello fingerprint authentication on Dell, Lenovo, and Microsoft laptops.

The researchers were tasked by Microsoft's Offensive Research and Security Engineering team to test the security of fingerprint sensors. During the presentation of the results at Microsoft’s BlueHat conference in October, the team disclosed that some of the popular fingerprint sensors were at the center of their research, including Goodix, Synaptics, and, ELAN.

Per the report, the researchers shared a detailed description highlighting how they were able to build a USB device with the capability to deploy a man-in-the-middle (MitM) attack. The report further detailed how the sophisticated technique grants bad actors access to a stolen or unattended device. 

While running tests to determine Windows Hello's dependability as a security feature, Dell's Inspiron 15, Lenovo's ThinkPad T14, and Microsoft's Surface Pro X unfortunately fell victim to the sophisticated ploy, provided fingerprint authentication was enabled on the device. 

The researchers at Blackwing Intelligence discovered the security vulnerabilities in a custom TLS on the Synaptics sensor while reverse engineering the software and hardware on these devices. 

A passwordless future, but highly alarming nonetheless

This year, we've seen Microsoft become more "intentional" in its drive towards a passwordless future, especially with its most recent move designed to allow Windows 11 users to log into websites that support passkeys using Windows Hello. Additionally, it also allows users to manage their passkeys on saved Windows devices, including deleting passkeys through the Windows Settings app.

With more people now hopping onto the passwordless train with Windows Hello, it creates a high level of uncertainty among users. This ultimately makes it even harder to decide whether they should fully transition to the passwordless approach or stick to pins. 

It's not yet clear how Microsoft plans to go about this issue, we also don't know if hackers are currently leveraging this technique in the wild.

Microsoft did a good job designing Secure Device Connection Protocol (SDCP) to provide a secure channel between the host and biometric devices, but unfortunately, device manufacturers seem to misunderstand some of the objectives. Additionally, SDCP only covers a very narrow scope of a typical device’s operation, while most devices have a sizable attack surface exposed that is not covered by SDCP at all.

Blackwing Intelligence Researchers

The researchers disclosed that they were able to bypass Windows Hello's fingerprint authentication on some of the devices they were running tests on because SDCP protection wasn't enabled.

As a safety precaution, the group of researchers recommends that users should ensure that SDCP protection is enabled at all times to prevent easy deployment of such attacks. 

Do you use Windows Hello on your PC? Share your experience with us in the comments.

Kevin Okemwa
Contributor

Kevin Okemwa is a seasoned tech journalist based in Nairobi, Kenya with lots of experience covering the latest trends and developments in the industry at Windows Central. With a passion for innovation and a keen eye for detail, he has written for leading publications such as OnMSFT, MakeUseOf, and Windows Report, providing insightful analysis and breaking news on everything revolving around the Microsoft ecosystem. You'll also catch him occasionally contributing at iMore about Apple and AI. While AFK and not busy following the ever-emerging trends in tech, you can find him exploring the world or listening to music.

TOPICS