Security experts find new flaws in Windows Hello fingerprint authentication

Microsoft recently commissioned cybersecurity researchers at Blackwing Intelligence to extensively test Windows Hello biometric authentication. After a thorough three-month examination, the company has shared its findings (via The Verge) revealing security vulnerabilities in fingerprint sensors for Dell, Lenovo, and Microsoft devices.

The researchers were able to bypass Windows Hello authentication on all three devices due to these vulnerabilities, highlighting the ease with which Microsoft’s Surface Type Cover fingerprint sensor can be bypassed.

Windows Intelligence in Your Inbox:
Join our free newsletter for three time-saving tips each Friday, and receive complimentary copies of Paul Thurrott’s Windows 11 and Windows 10 Field Guides as a special welcome gift!

The security researchers conducted tests on a Dell Inspiron 15 with a Goodix fingerprint sensor, a Lenovo Thinkpad with a Synaptics sensor, and an ARM-based Surface Pro X with an ELAN sensor in the Type Cover. Their analysis showed that the Lenovo Thinkpad exhibited better encrypted host-to-sensor communication and overall code quality than the other devices. However, they still had to develop specific methods to bypass the security measures of all three fingerprint sensors.

For the Dell Inspiron 15, the researchers exploited a USB Man in the Middle attack to rewrite a configuration packet and avoid Microsoft’s Secure Device Connection Protocol. On the Lenovo ThinkPad, the team found that the Synaptics sensor used a less secure custom Transport Security Layer (TLS), and that its client certificate and key were accessible to anyone. Finally, the fingerprint sensor on the Microsoft Surface Pro X Type Cover was deemed to be the easiest to compromise, as the researchers simply had to disconnect it and replace it with a spoofed attack device.

In conclusion, the researchers urged biometric sensor vendors to ensure that Microsoft’s Secure Device Connection Protocol is enabled to ensure secure communications with fingerprint sensors. They recommended device manufacturers to thoroughly understand and implement the protocol to enhance the security of biometric systems. While it was noted that Windows Hello biometric authentication is still more secure than using a password, the study revealed that there is room for improvement and further analysis by security experts.

Leave a Reply

Your email address will not be published. Required fields are marked *

Learn why Qookeys are rated 'Excellent' on Trustpilot.