The premier sensors enabling Windows Hello fingerprint authentication are not as secure as manufacturers had hoped. Researchers have discovered security flaws in a number of fingerprint sensors used in several laptops that work with the Windows Hello authentication feature.
Security researchers at Blackwing Intelligence have uncovered that laptops made by Dell, Lenovo, and Microsoft can have their Windows Hello fingerprint authentication bypassed easily due to vulnerabilities in the sensors that can cause them to be taken over by bad actors at the system level.
Many of the laptop brands use fingerprint sensors from Goodix, Synaptics, and ELAN. These vulnerabilities are beginning to arise as businesses transition to biometrics as a primary option for accessing devices. As time goes on, password use will continue to diminish. Three years ago, Microsoft claimed that 85% of its users were opting for a Windows Hello sign-in on Windows 10 devices over a password, according to The Verge.
On request from Microsoft’s Offensive Research and Security Engineering (MORSE), researchers shared details of various attacks that have plagued fingerprint authentication-enabled laptops at the brand’s BlueHat conference in October.
One such attack is a man-in-the-middle (MitM) attack, which can be used to access a stolen laptop. Another method is an “evil maid” attack, which can be used on an unattended device.
Blackwing Intelligence researchers tested a Dell Inspiron 15, Lenovo ThinkPad T14, and Microsoft Surface Pro X, which all fell victim to various bypass methods as long as someone had previously used their fingerprint to access the devices. The researchers noted that the bypassing entailed reverse engineering of the hardware and software on the laptops. They found flaws in the security layer of the Synaptics sensor, in particular. Windows Hello needed to be decoded and restructured to get past its setup, but it was still able to be hacked.
Researchers noted that Microsoft’s Secure Device Connection Protocol (SDCP) is a solid attempt at applying a security measure within the biometric standard. It allows for more secure communication between the biometric sensor and its laptop. However, not all manufacturers implemented the feature well enough for it to be effective, if they enabled it at all. Two out of the three laptops examined in the study had SDCP enabled.
Having more secure biometric laptops won’t only be a task for Microsoft. An initial remedy for securing Windows Hello-enabled laptops is also to have SDCP enabled on the manufacturer’s side, Blackwing Intelligence noted.
This study follows a 2021 facial recognition biometrics flaw in Windows Hello that allowed users to bypass the feature with certain alterations. Microsoft was forced to update its feature after researchers presented a proof of concept showcasing users with masks or plastic surgery bypassing Windows Hello facial recognition authentication.