Researchers bypassed Windows Hello authentication on Microsoft, Dell laptops

SAN FRANCISCO: Researchers have bypassed Windows Hello fingerprint authentication on laptops from Dell, Lenovo, and even Microsoft.

Blackwing Intelligence security researchers uncovered various vulnerabilities in the top three fingerprint sensors installed in laptops and commonly used by enterprises to safeguard laptops with Windows Hello fingerprint authentication.

Blackwing Intelligence was asked by Microsoft's Offensive Research and Security Engineering (MORSE) to analyse the security of fingerprint sensors, and the researchers presented their findings at Microsoft's BlueHat conference in October.

Blackwing researchers Jesse D'Aguanno and Timo Teras focused on embedded fingerprint sensors made by ELAN, Synaptics, and Goodix found on the Microsoft Surface Pro X, Lenovo ThinkPad T14, and Dell Inspiron 15.

All of the fingerprint sensors examined were Match-on-Chip (MoC) sensors with their own microprocessor and storage, allowing fingerprint matching to take place securely within the chip.

However, while MoC sensors prohibit the host from replaying stored fingerprint data for matching, they do not prevent a rogue sensor from impersonating a genuine sensor's communication with the host. This could give the impression that user authentication was completed or replay previously recorded communication between the host and sensor.

Microsoft developed the Secure Device Connection Protocol (SDCP) to protect against attacks that could exploit the vulnerabilities in the fingerprint device. The protocol ensures that the device is trusted, and healthy, and that the communication between the fingerprint device and the host is protected on targeted devices.

Despite this, the security researchers successfully bypassed Windows Hello authentication on three laptops using man-in-the-middle (MiTM) attacks, leveraging a custom Linux-powered Raspberry Pi 4 device.

Authentication bypass was accomplished on Dell and Lenovo laptops by enumerating valid IDs and registering the attacker's fingerprint using the ID of a legitimate Windows user (the Synaptics sensor used a custom TLS stack instead of SDCP to secure USB communication).

"Microsoft did a good job designing SDCP to provide a secure channel between the host and biometric devices, but unfortunately device manufacturers seem to misunderstand some of the objectives," the researchers said in a blogpost.

"Additionally, SDCP only covers a very narrow scope of a typical device’s operation, while most devices have a sizable attack surface exposed that is not covered by SDCP at all," they added.