Researchers at Blackwing Intelligence have identified vulnerabilities in the fingerprint sensors used in laptops from major manufacturers such as Dell, Lenovo, and Microsoft. This breach, which directly affects the Windows Hello fingerprint authentication system, was disclosed in a detailed presentation at Microsoft’s BlueHat conference.
The investigation, initiated by Microsoft’s Offensive Research and Security Engineering (MORSE) team, was aimed at evaluating the security robustness of fingerprint sensors. The focus was on sensors from Goodix, Synaptics, and ELAN, which are embedded in laptops and widely utilized by businesses for securing devices via Windows Hello fingerprint authentication.
The researchers at Blackwing Intelligence developed a USB device capable of performing a man-in-the-middle (MitM) attack. This attack could potentially grant unauthorized access to a stolen laptop or enable an “evil maid” attack on an unattended device. The vulnerability was demonstrated on a Dell Inspiron 15, Lenovo ThinkPad T14, and Microsoft Surface Pro X, where the Windows Hello protection was bypassed under conditions where fingerprint authentication was previously used.
The process of bypassing Windows Hello involved reverse engineering both the software and hardware of the fingerprint sensors. The team discovered cryptographic implementation flaws, particularly in a custom TLS protocol used by the Synaptics sensor. The researchers also decoded and reimplemented proprietary protocols, highlighting the complexity of the security breach.
Fingerprint sensors have become increasingly common in Windows laptops, driven by Microsoft’s push towards a password-less future. Microsoft had reported that nearly 85 percent of Windows 10 users were using Windows Hello for signing in, a figure that includes users employing simple PINs.
This incident isn’t the first time Windows Hello’s biometric authentication has been challenged. In 2021, Microsoft addressed a vulnerability that allowed spoofing of Windows Hello’s facial recognition feature using an infrared image.
The current vulnerabilities, according to Blackwing Intelligence researchers Jesse D’Aguanno and Timo Teräs, arise from a misunderstanding by device manufacturers regarding the objectives of Microsoft’s Secure Device Connection Protocol (SDCP). They observed that while SDCP provides a secure channel between the host and biometric devices, it covers only a limited aspect of a device’s operation, leaving other significant areas exposed to potential attacks.
The researchers found that SDCP protection was not enabled on two of the three devices they examined. Consequently, Blackwing Intelligence recommends that OEMs ensure the activation of SDCP and conduct thorough audits of fingerprint sensor implementations by qualified experts. The team is also exploring further security concerns, including memory corruption attacks on sensor firmware and the security of fingerprint sensors on other operating systems like Linux, Android, and Apple.
