In a serious security incident, multiple vulnerabilities were discovered in Microsoft’s Windows Hello fingerprint authentication on Dell, Lenovo and Surface Pro X laptops.
Security researchers at Blackwing Intelligence were asked by Microsoft’s Offensive Research and Security Engineering (MORSE) team to analyse and report on the fingerprint sensors of the laptops. The researchers complied with the request and presented their findings at Microsoft’s BlueHat conference in October.
The security team analysed three fingerprint sensor modules made by Synaptics, ELAN and Goodix on Lenovo ThinkPad T14, Microsoft Surface Pro X, and Dell Inspiron 15, respectively.
All the fingerprint sensors were match-on-chip (MoC) sensors, meaning they had their storage mechanism and microprocessor to perform fingerprint matching.
The vulnerabilities discovered open up the possibility of unauthorised access to devices through man-in-the-middle (MitM) attacks, posing a serious threat to user security.
The tested laptops fell victim to fingerprint reader attacks. The attackers bypassed Windows Hello protection by exploiting flaws in both software and hardware components. The complex process involved building a USB device capable of performing a MitM attack, which could grant access to a stolen laptop or allow an ‘evil maid’ attack on an unattended device.
The Blackwing team reverse-engineered the proprietary protocols of the fingerprint sensors and uncovered cryptographic implementation flaws, particularly in the custom TLS on the Synaptics sensor. The attack involved decoding and reimplementing these protocols, showcasing the intricate nature of security breaches.
This is not the first time Windows Hello biometrics-based authentication has faced challenges. In 2021, Microsoft had to address a Windows Hellp authentication bypass vulnerability related to facial recognition, reported BleepingComputer. The recent findings by Blackwing Intelligence indicate that the current vulnerabilities are not isolated incidents, raising concerns about the overall security framework.
One notable observation is that Microsoft’s Secure Device Connection Protocol (SDCP) was not enabled on two of the three devices targeted by the researchers. The researchers recommend that original equipment manufacturers (OEMs) ensure SPCP is enabled and conduct audits on fingerprint sensor implementations by qualified experts to mitigate these risks.
As biometric authentication gains prominence, this revelation further testifies to the fact that no security architecture can be foolproof. As device manufacturers and Microsoft struggle to address these vulnerabilities, users must apply extra caution while using vulnerable devices.
In the News: ParaSiteSnatcher extension targets Brazilian financial services