Security researchers at Blackwing Intelligence have discovered multiple vulnerabilities in the top three fingerprint sensors embedded in laptops, which are widely used by enterprises for Windows Hello fingerprint authentication to ensure laptop security. Microsoft's Windows Hello fingerprint verification has been bypassed on laptops from Dell, Lenovo and even Microsoft.
Microsoft's Offensive Research and Security Engineering (MORSE) asked Blackwing Intelligence to evaluate the security of fingerprint sensors, and the researchers provided their findings during a presentation at Microsoft's Blue Hat conference in October. The research team targeted popular fingerprint sensors from companies such as Goodix, Synaptics and ELAN, and in a recent blog post detailed the in-depth process of building a USB device that can perform man-in-the-middle (MitM) attacks. This attack can gain access to stolen laptops or even launch "evil maid" attacks against unattended devices.
The Dell Inspiron 15, Lenovo ThinkPad T14, and Microsoft Surface Pro Researchers at Blackwing Intelligence reverse-engineered the software and hardware and discovered a flaw in the encryption implementation of custom TLS on Synaptics sensors. The complex process of bypassing Windows Hello also involves decoding and re-implementing proprietary protocols.
Thanks to Microsoft's push for Windows Hello and a passwordless future, fingerprint sensors are now widely used by Windows laptop users. Microsoft revealed three years ago that nearly 85% of consumers use Windows Hello to log into Windows 10 devices, rather than using a password (however, Microsoft counts a simple PIN as using Windows Hello).
This is not the first time Windows Hello biometric authentication has been compromised. In 2021, Microsoft was forced to fix a Windows Hello authentication bypass vulnerability that involved capturing an infrared image of the victim to trick Windows Hello's facial recognition feature.
However, it's unclear whether Microsoft can fix these latest vulnerabilities alone. In an in-depth report on the vulnerabilities, Blackwing Intelligence researchers Jesse D'Aguanno and Timo Teräs wrote: "Microsoft did a good job designing the Secure Device Connection Protocol (SDCP) to provide a secure channel between the host and the biometric device, but unfortunately, device manufacturers appear to have misunderstood some of these goals. Furthermore, SDCP only covers a very narrow operating range of typical devices, and most devices expose a considerable attack surface and are not covered by SDCP at all."
The researchers found that two of the three devices they targeted did not have Microsoft's SDCP protection enabled. Blackwing Intelligence now recommends that OEMs ensure SDCP is enabled and that fingerprint sensor implementations are reviewed by qualified experts. Blackwing Intelligence is also exploring memory corruption attacks on sensor firmware and even fingerprint sensor security on Linux, Android and Apple devices.