Security researchers crack Windows Hello fingerprint logins with elaborate exploit

Jan

Who's the Boss?
Staff member
Joined
May 24, 2010
Messages
12,938
Researchers bypass Windows fingerprint logins

Cybersecurity researchers from Blackwing Intelligence successfully bypassed three fingerprint readers used for logging in or allowing specific actions with Microsoft's Windows Hello system.

The team discovered vulnerabilities in three of the most popular fingerprint sensors embedded in Windows laptops after Microsoft's Offensive Research and Security Engineering (Morsa) division asked them to evaluate their security.
 
However, a thief who stole a laptop and had access to the tools and software described in the bypass process might be able to gain unauthorised access to your most sensitive data and accounts, as they would have time on their side.
Or just put the harddrive in another computer.
 
And that will help how in bypassing TPM linked bitlocker?* This method can at least bypass that restriction.

*if not encrypted then that's on the laptop owner
In the same way. Windows does not encrypt keys using authentication or else simply bypassing a reader would be useless and you'd have to simulate a fingerprint as well. That's the real vulnerability that makes all forms of authentication pointless.
 
Or just put the harddrive in another computer.
Rather do not store any data on your laptop or ay other computer - remember it all in your head.

Almost a joke - but cyber threats are so sophisticated it almost makes it impossible to be safe.
 
In the same way. Windows does not encrypt keys using authentication or else simply bypassing a reader would be useless and you'd have to simulate a fingerprint as well. That's the real vulnerability that makes all forms of authentication pointless.
No, it will ask for the bitlocker key, changing the biometrics as described will do nothing to unlock the drive on another machine, Point is it will need to be in original computer.
 
No, it will ask for the bitlocker key, changing the biometrics as described will do nothing to unlock the drive on another machine, Point is it will need to be in original computer.
Point is it's not zero knowledge which would make such an attack useless. Everything needed to decrypt is stored and can be accessed.
 
Patch it fast with the Windows Koebaai system!
That won't fix the vulnerability, because the flaw isn't in Windows but in the way many hardware vendors implement the fingerprint scanner without enabling SDCP. Without a secure end-to-end channel between the fingerprint sensor and the host device there's just not way a hack-proof sensor can be implemented. Using any other operating system on those devices won't fix this problem either - it's wired and firmware'd in to the hardware.
 
That won't fix the vulnerability, because the flaw isn't in Windows but in the way many hardware vendors implement the fingerprint scanner without enabling SDCP. Without a secure end-to-end channel between the fingerprint sensor and the host device there's just not way a hack-proof sensor can be implemented. Using any other operating system on those devices won't fix this problem either - it's wired and firmware'd in to the hardware.
It won't fix the real issue in any case because the fingerprint isn't used as a key but a simple authorisation.
 
Security on MS Windows has always been half baked, so what's new.

But then taking the number of idiots using it, if they made it properly secure, they would lose a massive amount of customers, not able to use it. Customers, are money ...
 
Back
Top