An alarming discovery has been made regarding the security of Windows Hello fingerprint authentication on laptops from Dell, Lenovo, and even Microsoft. Blackwing Intelligence, a leading security research group, has identified multiple vulnerabilities in the top three fingerprint sensors commonly used in business laptops to secure Windows Hello fingerprint authentication.
Requested by Microsoft’s Offensive Research and Security Engineering (MORSE), Blackwing Intelligence evaluated the security of fingerprint sensors and presented their findings at Microsoft’s BlueHat conference. The team targeted popular fingerprint sensors from Goodix, Synaptics, and ELAN, highlighting the potential for a man-in-the-middle (MitM) attack through a customized USB device. This attack could compromise stolen or unattended laptops.
The Dell Inspiron 15, Lenovo ThinkPad T14, and Microsoft Surface Pro X have all been compromised, allowing for the bypassing of Windows Hello protection. Blackwing Intelligence’s extensive research revealed cryptographic flaws and the complex process of circumventing Windows Hello’s security measures.
Fingerprint sensors have become ubiquitous among Windows laptop users due to Microsoft’s Windows Hello initiative. Nearly 85 percent of consumers are using Windows Hello instead of traditional passwords, showcasing the widespread adoption of biometric authentication.
This isn’t the first time Windows Hello biometrics-based authentication has been breached. A previous incident involved spoofing Windows Hello’s facial recognition feature by capturing an infrared image of a victim. The current vulnerabilities pose a significant challenge for Microsoft and device manufacturers moving forward.
The researchers found that Microsoft’s SDCP protection wasn’t enabled on two of the three devices they targeted. Blackwing Intelligence’s recommendations for OEMs and their exploration of memory corruption attacks on sensor firmware signify the ongoing battle to secure biometric authentication.