Cybersecurity researchers from Blackwing Intelligence successfully bypassed three fingerprint readers used for logging in or allowing specific actions with Microsoft’s Windows Hello system.
The team discovered vulnerabilities in three of the most popular fingerprint sensors embedded in Windows laptops after Microsoft’s Offensive Research and Security Engineering (Morsa) division asked them to evaluate their security.
The researchers probed the fingerprint readers on two laptops — the Dell Inspiron 15 and Lenovo ThinkPad T14 — as well as the Microsoft Surface Pro Type Cover with a built-in fingerprint scanner.
These feature fingerprint readers from the following vendors:
- Dell Inspiron 15 — Goodix
- Lenovo ThinkPad T14 — Synaptic
- Microsoft Surface Pro Type Cover — ELAN
Ars Technica reported that one of these three companies usually made the sensors in every laptop it had reviewed in the past few years.
The bypasses involved extensive reverse engineering of software and hardware, breaking cryptographic flaws in a custom Transport Layer Security (TLS) implementation, and deciphering and reimplementing proprietary protocols.
Windows Hello uses the Microsoft-developed Secure Device Connection Protocol (SDCP) to confirm that inputs from fingerprint sensors are trustworthy and uncompromised.
It also encrypts traffic between the sensor and the rest of the computer.
SDCP works — but vendors are not implementing it
The researchers said that SDCP’s design provided a secure channel between the host and biometric devices but that device manufacturers seemed to misunderstand some of its objectives.
“Additionally, SDCP only covers a very narrow scope of a typical device’s operation, while most devices have a sizable attack surface exposed that is not covered by SDCP at all,” Blackwing said.
Each fingerprint reader had a different vulnerability. For example, the researchers discovered that the Goodix reader implemented SDCP correctly in Windows but not Linux.
To exploit this, they connected the sensor to a Raspberry Pi 4 to enrol a new fingerprint to gain access to a Windows account.
Neither the Synaptic nor ELAN fingerprint sensors had SDCP enabled.
Synaptic employed a custom TLS implementation for data transfer, whereas the ELAN reader employed cleartext communication over USB.
Both could be exploited to clear biometric authentication without the correct fingerprint.
Blackwing delivered a breakdown of how they bypassed the security at Microsoft’s BlueHat conference in October 2023.
They also posted an extensively detailed account of how it successfully exploited the vulnerabilities over three months.
The researchers highly recommended that fingerprint reader manufacturers ensure SDCP was enabled and had a qualified third-party audit conducted on their implementation of the protocol.
Given how elaborate the exploits are, it is improbable that someone would be able to quickly gain access to your system with them while you are looking the other way.
However, a thief who stole a laptop and had access to the tools and software described in the bypass process might be able to gain unauthorised access to your most sensitive data and accounts, as they would have time on their side.