Fingerprint authentication is bypassed in Microsoft Windows Hello – Microsoft

The vulnerabilities were discovered by Blackwing Intelligence, which was commissioned by Microsoft’s Offensive Research and Security Engineering (MORSE) to evaluate the security of fingerprint sensors.

The researchers focused on fingerprint sensors from Goodix, Synaptics, and ELAN and shared their findings at Microsoft’s BlueHat conference. They also published a Conference blog post It explains how they created a USB device capable of performing a man-in-the-middle (MitM) attack, potentially granting access to a stolen laptop or enabling an attack on an unattended device.

Researchers were able to access fingerprint readers on the Dell Inspiron 15, Lenovo ThinkPad T14, and Microsoft Surface Pro The researchers set out to reverse engineer both the software and hardware, and discovered errors in the cryptographic implementation of a custom TLS in the Synaptics sensor. The process also included decryption and new integration of proprietary protocols.

Fingerprint sensors have become increasingly popular among Windows laptop users, with Microsoft reporting three years ago that nearly 85% of consumers use Windows Hello to log in instead of passwords. However, this is not the first time Windows Hello biometric authentication has been compromised. In 2021, Microsoft was forced to address a vulnerability that allowed Windows Hello authentication to be bypassed using an infrared image captured of the victim’s face.

Researchers note that although Microsoft’s Secure Device Communication Protocol (SDCP) is well-designed, device manufacturers appear to be misinterpreting some of its goals. In addition, SDCP covers only a small portion of a typical device’s operation, leaving a large attack surface exposed. The researchers also found that SDCP protection was not enabled on two of the three devices used in testing the attack.

Η Blackwing Intelligence Advise Manufacturers (OEMs) to ensure that SDCP is enabled and that the fingerprint sensor implementation is verified by a qualified expert. The researchers are also investigating potential memory corruption attacks on sensor firmware and the security of fingerprint sensors on Linux, Android, and Apple devices.