KUALA LUMPUR, Nov 23 — If you’re using a premium or even a basic-yet-decent Windows laptop, chances are you’ll have a fingerprint sensor on it, typically doubling as a power button or perhaps located just off the keyboard in a corner somewhere. This fingerprint sensor is also typically one of the easiest ways for you to sign into your laptop thanks to Microsoft’s Windows Hello, which on the surface promises a biometric form of security ensuring only you—or anyone with your finger—can access your laptop.
Unfortunately, it seems that not all laptops with Windows Hello fingerprint authentication are the same. Blackwing Intelligence, a boutique cybersecurity research firm, has found a number of security issues with the fingerprint sensors themselves on these laptops. In a detailed blog post on their website, Blackwing revealed that they were asked by Microsoft’s own Offensive Research and Security Engineering (MORSE) team to evaluate the security of the three most popular fingerprint sensors used for Windows Hello fingerprint authentication, and ended up managing to not just discover these vulnerabilities but also successfully exploited them and bypassed Windows Hello altogether.
The team at Blackwing tested three different devices with Windows Hello fingerprint authentication: a Dell Inspiron 15, a Lenovo Thinkpad T14s and a Microsoft Surface Pro X. These three devices, apart from representing the various different types of Windows laptops around, also used fingerprint sensors from three different vendors respectively: Goodix, Synaptics and ELAN. As it turns out though, after about three months of research, the team at Blackwing not only bypassed the Windows Hello fingerprint authentication on all three devices, but did so in three different ways.
Starting with the Dell Inspiron 15, they discovered a vulnerability that allowed them to manipulate the biometric enrolment process itself by first booting into Linux and then using a man-in-the-middle attack to then log into Windows as the ‘real’ user. As for the Lenovo ThinkPad T14s, it was easily bypassed as it didn’t come with Microsoft’s Secure Device Connection Protocol (SDCP), which should’ve created a secure end-to-end channel between the host system and the fingerprint sensor. Turns out, even though the fingerprint sensor used here does support SDCP, Lenovo seemingly disabled it and used Synaptics’ own custom protocol instead... which was eventually bypassed by Blackwing anyway.
Lastly, with Microsoft’s own Surface Pro X, it turns out this was the easiest Windows Hello fingerprint sensor to bypass. Specifically, Blackwing were using the Surface Pro X Type Cover with the keyboard and embedded fingerprint sensor. They found out that not only was SDCP not implemented here, but there was no authentication protocol at all. This meant that any USB device could be spoofed and be recognised by the system as the ELAN fingerprint sensor and unlock the device.
Blackwing goes on to explain that SDCP itself is actually pretty decent, and provides a secure channel between the host system and its biometric devices. However, it appears that the manufacturers themselves may have misunderstood the purpose of SDCP. Of course, it didn’t help that SDCP wasn’t enabled at all on two of the three devices they used. Blackwing is now calling for laptop manufacturers to ensure that SDCP is enabled on their Windows Hello fingerprint sensors before shipping them out.
For the huge cybersecurity nerds out there who would like to learn more about Blackwing’s research into the Windows Hello fingerprint authentication bypass, you can check out both their presentation on it in the video above and their blog post about it on their website by clicking here. — SoyaCincau