Microsoft, Dell and Lenovo laptops vulnerable to Windows Hello authentication flaw

Researchers employed reverse engineering techniques on both software and hardware

Microsoft, Dell and Lenovo laptops vulnerable to Windows Hello authentication flaw

Image:
Microsoft, Dell and Lenovo laptops vulnerable to Windows Hello authentication flaw

Hardware security experts from Blackwing Intelligence have exposed vulnerabilities in Windows Hello's fingerprint authentication system, demonstrating how it can be bypassed to gain unauthorised access to devices.

The research, sponsored by Microsoft's Offensive Research and Security Engineering group and presented at the Microsoft BlueHat conference, sheds light on critical shortcomings in the implementation of fingerprint authentication on certain laptops.

The focus of the research was on three popular laptop models: Microsoft Surface Pro 8/X, Dell Inspiron 15 and Lenovo ThinkPad T14, each equipped with fingerprint sensors from ELAN, Goodix and Synaptics, respectively.

The security experts, Jesse D'Aguanno and Timo Teräs, employed reverse engineering techniques on both software and hardware, discovering that all three devices were vulnerable to different methods of bypassing Windows Hello's fingerprint authentication.

According to the researchers, the vulnerabilities are not inherent to Windows Hello or fingerprint technology itself. Instead, they stem from shortcomings and oversights in the communication between the hardware and software components of the authentication system.

If an attacker can gain physical access to the device long enough to connect electronic equipment, they could exploit these vulnerabilities and bypass the fingerprint authentication.

Windows Hello enables users to access the OS by logging in with their fingerprint.

The usual process involves generating an ID linked to a user's fingerprint, stored within the sensor chipset. During login, the OS matches the presented fingerprint with the stored print associated with the generated ID.

The vulnerabilities, however, allow manipulation of the fingerprint sensor's data.

One identified method involves using a Linux boot to rewrite the sensor's data, enabling unauthorised access even while the computer is running. This attack, executed with a man-in-the-middle device (a USB device), poses a significant challenge to security measures.

Blackwing Intelligence emphasised that despite these vulnerabilities, full-disk encryption and BIOS passwords can still provide effective security measures.

While the researchers recognised Microsoft's dedication to designing the Secure Device Connection Protocol (SDCP) for establishing a secure channel between the host and biometric devices, they criticised device manufacturers for misunderstanding certain objectives and the restricted scope of SDCP.

Surprisingly, SDCP was not activated on two out of three of the laptops under investigation, prompting concerns about the comprehensive security measures implemented by manufacturers.

Blackwing Intelligence urged vendors to ensure SDCP is enabled in biometric authentication solutions.

"It doesn't help if it's not turned on," they noted.

Fingerprint sensors have gained widespread adoption among Windows laptop users due to Microsoft's promotion of Windows Hello and its vision for a password-less future. Three years ago, Microsoft reported that almost 85% of consumers were using Windows Hello for sign-ins on Windows 10 devices.