What you need to know
- A group of researchers has been able to bypass Windows Hello's fingerprint authentication.
- The researchers made the discovery while running tests on Dell, Lenovo, and Microsoft laptops.
- Goodix, Synaptics, and, ELAN fingerprint sensors were used as the basis for the research.
- According to the researchers, they were able to bypass the security feature because Microsoft's SDCP protection wasn't enabled.
- While Microsoft works on a way around this, the researchers recommend that users should enable SDCP protection.
A group of security researchers from Blackwing Intelligence have uncovered multiple vulnerabilities affecting the top three fingerprint sensors, which allowed them to bypass Windows Hello fingerprint authentication on Dell, Lenovo, and Microsoft laptops.
The researchers were tasked by Microsoft's Offensive Research and Security Engineering team to test the security of fingerprint sensors. During the presentation of the results at Microsoft’s BlueHat conference in October, the team disclosed that some of the popular fingerprint sensors were at the center of their research, including Goodix, Synaptics, and, ELAN.
Per the report, the researchers shared a detailed description highlighting how they were able to build a USB device with the capability to deploy a man-in-the-middle (MitM) attack. The report further detailed how the sophisticated technique grants bad actors access to a stolen or unattended device.
While running tests to determine Windows Hello's dependability as a security feature, Dell's Inspiron 15, Lenovo's ThinkPad T14, and Microsoft's Surface Pro X unfortunately fell victim to the sophisticated ploy, provided fingerprint authentication was enabled on the device.
The researchers at Blackwing Intelligence discovered the security vulnerabilities in a custom TLS on the Synaptics sensor while reverse engineering the software and hardware on these devices.
A passwordless future, but highly alarming nonetheless
This year, we've seen Microsoft become more "intentional" in its drive towards a passwordless future, especially with its most recent move designed to allow Windows 11 users to log into websites that support passkeys using Windows Hello. Additionally, it also allows users to manage their passkeys on saved Windows devices, including deleting passkeys through the Windows Settings app.
With more people now hopping onto the passwordless train with Windows Hello, it creates a high level of uncertainty among users. This ultimately makes it even harder to decide whether they should fully transition to the passwordless approach or stick to pins.
It's not yet clear how Microsoft plans to go about this issue, we also don't know if hackers are currently leveraging this technique in the wild.
Microsoft did a good job designing Secure Device Connection Protocol (SDCP) to provide a secure channel between the host and biometric devices, but unfortunately, device manufacturers seem to misunderstand some of the objectives. Additionally, SDCP only covers a very narrow scope of a typical device’s operation, while most devices have a sizable attack surface exposed that is not covered by SDCP at all.
Blackwing Intelligence Researchers
The researchers disclosed that they were able to bypass Windows Hello's fingerprint authentication on some of the devices they were running tests on because SDCP protection wasn't enabled.
As a safety precaution, the group of researchers recommends that users should ensure that SDCP protection is enabled at all times to prevent easy deployment of such attacks.
Do you use Windows Hello on your PC? Share your experience with us in the comments.
