Researchers Reveal Flaw With Microsoft’s Windows
Windows Hello fingerprint authentication sensors appear to be less secure than manufacturers hoped. Researchers discovered security flaws in multiple sensors used in various laptops with the feature.
Blackwing Intelligence researchers uncovered laptops made by Dell, Lenovo, and Microsoft can have the Hello fingerprint authentication bypassed due to vulnerabilities in the sensors.
Many of the brands use sensors from Goodix, Synaptics, and ELAN. The vulnerabilities are starting to surface as businesses transition to biometrics as a primary way to access devices.
As we progress through time, passwords will slowly become obsolete. Microsoft claimed, three years ago, that 85% of users were opting for the Hello sign-in on Windows 10 devices.
Following a request from Microsoft’s Offensive Research and Security Engineering (MORSE), researchers shared details of multiple attacks plaguing fingerprint authentication enabled devices.
One attack is a man-in-the-middle (MitM) attack, which is used to access stolen laptops. Another method is an “evil maid” attack, which is used on unattended devices.
Researchers tested a Dell Inspiron 15, Lenovo ThinkPad T14, and Microsoft Surface Pro X, which saw all fall victim to multiple bypass methods.
It was noted the bypassing entailed reverse engineering of the hardware and software. Flaws were found in the security layer of the Synaptics sensor. Windows Hello was required to be decoded and restructured to get past the setup, but was still vulnerable to hacking.
It was also noted Microsoft’s Secure Device Connection Protocol (SDCP) is a decent attempt to apply security measures within the biometric standard, allowing for more secure communication between the sensor and the laptop.
It was revealed though, that not all manufacturers applied the feature well enough for it to be effective, if enabled at all. Two out of three examined had the feature enabled.
Blackwing Intelligence noted the initial remedy is to secure Windows Hello laptops with SDCP also enabled.
The study comes after a 2021 facial recognition biometric flaw inside Windows Hello, allowing users to bypass the feature with specific alterations.
The company was forced to update the feature after proof was found that users with masks and plastic surgery could bypass the authentication.