Security researchers bypassed Windows Hello fingerprint authentication on Dell Inspiron, Lenovo ThinkPad, and Microsoft Surface Pro X laptops in attacks exploiting security flaws found in the embedded fingerprint sensors.
Blackwing Intelligence security researchers discovered vulnerabilities during research sponsored by Microsoft's Offensive Research and Security Engineering (MORSE) to assess the security of the top three embedded fingerprint sensors used for Windows Hello fingerprint authentication.
Blackwing's Jesse D'Aguanno and Timo Teräs targeted embedded fingerprint sensors made by ELAN, Synaptics, and Goodix on Microsoft Surface Pro X, Lenovo ThinkPad T14, and Dell Inspiron 15.
All tested fingerprint sensors were Match-on-Chip (MoC) sensors with their own microprocessor and storage, allowing fingerprint matching to be performed securely within the chip.
However, while MoC sensors prevent the replay of stored fingerprint data to the host for matching, they do not inherently stop a malicious sensor from mimicking a legitimate sensor's communication with the host. This could falsely indicate successful user authentication or replay previously observed traffic between the host and sensor.
To counteract attacks that would exploit these weaknesses, Microsoft developed the Secure Device Connection Protocol (SDCP), which should've ensured that the fingerprint device was trusted and healthy and that the input between the fingerprint device and the host was protected on the targeted devices.
Despite this, the security researchers successfully bypassed Windows Hello authentication using man-in-the-middle (MiTM) attacks on all three laptops, leveraging a custom Linux-powered Raspberry Pi 4 device.
Throughout the process, they used software and hardware reverse-engineering, broke cryptographic implementation flaws in Synaptics sensor's custom TLS protocol, and decoded and re-implemented proprietary protocols.
On Dell and Lenovo laptops, authentication bypass was achieved by enumerating valid IDs and enrolling the attacker's fingerprint using the ID of a legitimate Windows user (the Synaptics sensor used a custom TLS stack instead of SDCP to secure USB communication).
For the Surface device, whose ELAN fingerprint sensor had no SDCP protection, used cleartext USB communication, and had no authentication, they spoofed the fingerprint sensor after disconnecting the Type Cover containing the sensor and sent valid login responses from the spoofed device.
"Microsoft did a good job designing SDCP to provide a secure channel between the host and biometric devices, but unfortunately device manufacturers seem to misunderstand some of the objectives," the researchers said.
"Additionally, SDCP only covers a very narrow scope of a typical device’s operation, while most devices have a sizable attack surface exposed that is not covered by SDCP at all."
After finding that Secure Device Connection Protocol (SDCP) wasn't even enabled on two out of three of the targeted laptops, Blackwing Intelligence recommends that vendors manufacturing biometric authentication solutions ensure SDCP is enabled, as it will not help thwart attacks if it's not toggled on.
Microsoft said three years ago that the number of users signing into their Windows 10 devices using Windows Hello instead of using a password grew to 84.7 percent from 69.4 percent in 2019.
Comments
DrkKnight - 5 months ago
Microsofts own tech, developed by them, bypassed on their very own product. Well that is pretty disturbing, now I know to never by a Microsoft product with an embedded fingerprint scanner.
NoneRain - 5 months ago
What you fail to get, is that this research was also sponsored by Microsoft. When an enterprise pays to get hcked, they're looking to improve their products and expose flaws to themselves.
Mind you that no device or technology is 100% secure.
If this made you lose trust on MS' products, you should also know that Apple's ones also got pwed, just like any other device in existence...
DrkKnight - 5 months ago
Oh I get it, even though it was MS sponsored they were probably hoping for a better outcome, understanding no tech is 100% secure this is what companies have R&D for. Every day we see peoples information being stolen , you would just think they would spend a little more time preventing it from happening, test your product thoroughly before releasing it to the public.
I wonder how the results would have turned out using third party hardware / fingerprint scanners?
Lefty4444 - 5 months ago
Are there any mitigations for vulnerable devices? (Windows)