Fingerprint authentication is surprisingly easy to bypass – researchers find critical vulnerabilities in Windows Hello
The fingerprint security systems found on many top business laptops today may not be as rock-solid as once thought, new research shows.
The Microsoft Offensive Research and Security Engineering (MORSE) recently transferred a number of research objectives Blackwing Intelligencewith orders to crack their security.
The research targets were three Windows laptops with the three best fingerprint sensors on the market, which were used to identify users and grant access through Windows Hello. The company not only managed to crack all three laptops, but also in surprising and intuitive ways.
Windows Hello errors
Blackwing Intelligence received three laptops; a Dell Inspiron 15; a Lenovo ThinkPad T14; and a Microsoft Surface Pro Type Cover with fingerprint ID.
In Blackwing’s three months, the company managed to crack all three laptops using a series of increasingly inventive methods, before reporting the vulnerabilities to MORSE.
The Inspiron 15 was identified as the particularly vulnerable target due to a number of factors, including poor coding quality, clear text communications, and good USB and Linux support.
By using a Raspberry Pi 4 (RP4) as a man-in-the-middle (MitM) device, they discovered that they could disconnect the fingerprint sensor and then use the RP4 to enumerate fingerprints in the Windows database and register their own fingerprints in a Linux database (identifying them as a valid Windows user) and then redirect the fingerprint sensor to the Linux database, which then retrieves the authenticated fingerprint and grants access.
In its blog, BlackWing concludes that “Biometric authentication can be super useful for allowing users to log in easily.
“Microsoft has done a good job designing the Secure Device Connection Protocol (SDCP) to provide a secure channel between the host and biometric devices, but unfortunately device manufacturers appear to be misunderstanding some of its objectives,” the report said.
“Additionally, SDCP only covers a very limited scope of a typical device’s operation, while most devices have a significant attack surface that is not covered by SDCP at all.
“We ultimately discovered that SDCP wasn’t even enabled on two of the three devices we targeted.”