Security researchers bypassed Windows Hello fingerprint authentication by exploiting security flaws found in embedded fingerprint sensors on Dell Inspiron, Lenovo ThinkPad and Microsoft Surface Pro X laptops.
Blackwing Intelligence security researchers discovered the vulnerabilities during research sponsored by Microsoft’s Offensive Research and Security Engineering (MORSE) to assess the security of the first three embedded fingerprint sensors used for Windows Hello fingerprint authentication.
Blackwing’s Jesse D’Aguanno and Timo Teräs targeted embedded fingerprint sensors made by ELAN, Synaptics and Goodix in the Microsoft Surface Pro X, Lenovo ThinkPad T14 and Dell Inspiron 15.
All fingerprint sensors tested are match-on-chip (MoC) sensors, with their own microprocessor and storage, allowing fingerprint matching to be performed securely on-chip.
However, while MoC sensors prevent stored fingerprint data from being replayed to the host, they do not inherently stop a malicious sensor from impersonating a legitimate sensor’s communication with the host. This may falsely indicate successful user authentication or replay previously observed traffic between the host and the sensor.
To counter attacks that exploit these weaknesses, Microsoft developed the Secure Device Connection Protocol (SDCP), which is supposed to ensure that the fingerprint device is trusted and healthy, and that the input between the fingerprint device and the host is protected on the targeted devices. .
Despite this, security researchers successfully bypassed Windows Hello authentication using man-in-the-middle (MITM) attacks on all three laptops using a custom Linux-powered Raspberry Pi 4 device.
Throughout the process, they used software and hardware reverse-engineering, breaking cryptographic implementation flaws in the Synaptics sensor’s custom TLS protocol, and decoding and re-implementing proprietary protocols.
On Dell and Lenovo laptops, authentication bypass was achieved by enumerating valid IDs and registering the attacker’s fingerprint using the legitimate Windows user’s ID (the Synaptics sensor used a custom TLS stack instead of SDCP to secure the USB connection).
They spoofed the fingerprint sensor after disconnecting the type card containing the sensor and sending valid login responses from the spoofed device to an ELAN fingerprint sensor that used cleartext USB communication and unauthenticated Surface device without SDCP protection.
“Microsoft did a good job designing SDCP to provide a secure channel between host and biometric devices, but unfortunately device manufacturers seem to be misunderstanding some of the intent,” the researchers said.
“Furthermore, SDCP only covers a very narrow scope of a typical device’s functionality, while most devices expose a substantial attack surface not covered by SDCP.”
After finding that Secure Device Connection Protocol (SDCP) was not enabled on even two-thirds of the targeted laptops, Blackwing Intelligence recommends that vendors producing biometric authentication solutions ensure that SDCP is enabled. On that day.
Microsoft said The number of users who signed in to their Windows 10 devices using Windows Hello instead of using a password increased from 69.4 percent in 2019 to 84.7 percent three years ago.
