Security experts from Blackwing Intelligence managed to circumvent the fingerprint recognition feature of Windows Hello on various laptops, including Dell Inspiron, Lenovo ThinkPad, and Microsoft Surface Pro X. This breakthrough was part of a Microsoft-sponsored project to evaluate the security of leading fingerprint sensors.
The investigation, led by Jesse D’Aguanno and Timo Teräs of Blackwing, focused on sensors from ELAN, Synaptics, and Goodix found in these laptops. These sensors, designed as Match-on-Chip (MoC) systems, have built-in processors and storage for secure fingerprint verification. Despite this design, which prevents the reuse of stored fingerprint data, the researchers identified a vulnerability: these sensors could be tricked into falsely verifying a user’s identity.
Microsoft had developed the Secure Device Connection Protocol (SDCP) to address such security concerns, ensuring a secure link between the fingerprint device and the host computer. Yet, the researchers were still able to bypass Windows Hello through man-in-the-middle attacks using a modified Raspberry Pi 4.
The team employed a combination of software and hardware reverse-engineering techniques. They exploited cryptographic weaknesses in the Synaptics sensor’s custom TLS protocol and replicated proprietary protocols. On Dell and Lenovo models, the researchers used a method to identify valid user IDs and register an intruder’s fingerprint. For the Surface Pro X, lacking SDCP protection and using unencrypted USB communications, they created a fake fingerprint sensor to send authentic login responses.
The researchers highlighted that while Microsoft’s SDCP was well-designed, its implementation by device manufacturers was lacking. They noted that SDCP’s scope was too limited, leaving significant vulnerabilities unaddressed. They discovered that SDCP wasn’t even activated on two of the three laptops they tested. Therefore, Blackwing Intelligence advises biometric device manufacturers to ensure SDCP is operational to effectively counter such security threats.
The article also mentions Microsoft’s report from three years ago, stating that the use of Windows Hello for signing into Windows 10 devices had significantly increased, reaching 84.7% in 2020 from 69.4% in 2019.