Andrew Cunningham
Since the introduction of Windows 10 in 2015, the majority of Windows laptops and tablets feature some form of biometric authentication device. This could be a face- or iris-scanning infrared webcam, or a fingerprint sensor mounted on the power button or elsewhere on the device.
Despite the convenience of these authentication methods, they are not entirely immune to security exploits. In 2021, researchers were able to deceive certain Windows Hello IR webcams with infrared images of users’ faces. Additionally, researchers at Blackwing Intelligence recently published a detailed document outlining their successful workarounds of popular fingerprint sensors used in Windows PCs.
Security researchers Jesse D’Aguanno and Timo Teräs detailed how, through reverse-engineering and external hardware, they were able to deceive the Goodix fingerprint sensor in a Dell Inspiron 15, the Synaptic sensor in a Lenovo ThinkPad T14, and the ELAN sensor in one of Microsoft’s Surface Pro Type Covers. Their findings suggest that most Windows PCs with fingerprint readers are likely to be vulnerable to similar exploits.
Blackwing’s post also provides an insightful overview of the functionality of fingerprint sensors in a modern PC. These Windows Hello-compatible fingerprint readers typically use “match on chip” sensors, which means that the sensor has its own processors and storage to independently perform all fingerprint scanning and matching without relying on the host PC’s hardware. This ensures that fingerprint data cannot be accessed or extracted if the host PC is compromised.
The communication between the fingerprint sensor and the rest of the system is meant to be handled by the Secure Device Connection Protocol (SCDP), a Microsoft-developed protocol designed to ensure the trustworthiness and security of fingerprint sensors. However, Blackwing discovered that each fingerprint sensor was ultimately defeated by a different weakness, ranging from poor code quality to communication vulnerabilities. While these exploits ultimately require physical access to a device and a determined attacker, the wide variety of possible exploits highlights the need for improved security measures.
Blackwing recommends that all Windows Hello fingerprint sensors should enable and use SCDP and that PC makers should undergo third-party audits to improve code quality and security. Additionally, Microsoft’s Offensive Research & Security Engineering (MORSE) team has invited Blackwing Intelligence to try to break these fingerprint sensors, suggesting that there may be future improvements in securing Windows systems. The Blackwing team plans to investigate further vulnerabilities in each fingerprint sensor’s firmware and debug interfaces, with potential plans to examine fingerprint readers in Linux, Android, and Apple devices.
