Windows Hello is designed to enhance the security of Windows PCs with fingerprint or facial recognition authentication. However, security researchers have managed to bypass the former on computers from Dell, Lenovo, and Microsoft.
A flaw to bypass Windows Hello with the fingerprint
Security researchers at Blackwing Intelligence have discovered multiple vulnerabilities in the three main fingerprint sensors built into laptops, widely used by businesses to secure PCs with Windows Hello’s fingerprint authentication.
Microsoft’s Offensive Research and Security Engineering (MORSE) service requested Blackwing Intelligence to assess the security of fingerprint sensors. The researchers presented their findings at Microsoft’s BlueHat conference. The team identified popular fingerprint sensors from Goodix, Synaptics, and ELAN as targets for their research. The process involves using a USB device capable of performing a man-in-the-middle (MitM) attack. Such an attack provides access to a stolen laptop or even an “evil maid” attack on an unmonitored device.
Blackwing Intelligence’s security researchers were able to understand how Windows Hello works, both at the software and hardware levels. They discovered flaws in the cryptographic implementation of custom TLS on the Synaptics sensor. The complex process of bypassing Windows Hello also involves decoding, and a fix is not certain.
Can we expect a fix from Microsoft? It’s uncertain.
The researchers point out, however, that Microsoft has done a good job with the Secure Device Connection Protocol (SDCP) “to provide a secure channel between the host and biometric devices, but unfortunately, device manufacturers seem to misunderstand some of the goals.”
The researchers found that Microsoft’s SDCP protection was not enabled on two of the three devices they targeted (Dell Inspiron 15, Lenovo ThinkPad T14, and Microsoft Surface Pro X). Blackwing Intelligence, therefore, recommends that manufacturers ensure that SDCP protection is enabled and that the implementation of the fingerprint sensor is verified by a qualified expert.
This isn’t the first time Windows Hello has been bypassed. It had already happened in 2021, involving an infrared image of a victim to spoof Windows Hello’s facial recognition feature, reimplementing proprietary protocols.