Mobile Technology

Windows Hello Fingerprint Authentication Vulnerabilities Expose Major Security Risks

Update on by Abdulsamad Muhammad

Uncovering Flaws in Windows Laptop Fingerprint Sensors

Security researchers at Blackwing Intelligence have uncovered critical vulnerabilities in the implementation of fingerprint authentication on laptops from major manufacturers, including Dell, Lenovo, and Microsoft. The flaws extend to Microsoft’s Windows Hello fingerprint authentication, with potential security risks for businesses relying on this technology.

Research Findings:
Microsoft’s Offensive Research and Security Engineering (MORSE) engaged Blackwing Intelligence to assess the security of fingerprint sensors. The researchers identified popular sensors from Goodix, Synaptics, and ELAN as targets for their investigation. A presentation at Microsoft’s BlueHat conference in October highlighted the flaws, revealing a focus on building a USB device capable of executing a man-in-the-middle (MitM) attack.

Affected Devices:
Security researchers successfully bypassed Windows Hello fingerprint protection on Dell Inspiron 15, Lenovo ThinkPad T14, and Microsoft Surface Pro X laptops. The vulnerabilities allowed unauthorized access in scenarios where fingerprint authentication had been previously used.

Methodology:
The research involved reverse engineering both software and hardware components. Cryptographic implementation flaws were discovered in a custom TLS on the Synaptics sensor. The complex process of bypassing Windows Hello included decoding and reimplementing proprietary protocols.

History of Vulnerabilities:
This incident isn’t the first time Windows Hello biometrics-based authentication has faced challenges. Microsoft had to address a Windows Hello authentication bypass vulnerability in 2021, responding to a proof-of-concept involving infrared image capture to spoof facial recognition.

Challenges for Microsoft:
Blackwing Intelligence researchers expressed concerns about the Secure Device Connection Protocol (SDCP) designed by Microsoft. While SDCP aims to secure the channel between the host and biometric devices, the researchers found that device manufacturers often misunderstand its objectives. Additionally, SDCP’s coverage is limited, leaving a significant attack surface exposed.

Recommendations and Future Exploration:
Blackwing Intelligence recommends OEMs ensure SDCP is enabled and conduct audits by qualified experts on fingerprint sensor implementations. The researchers are exploring memory corruption attacks on sensor firmware and extending their focus to fingerprint sensor security on Linux, Android, and Apple devices.

Source: The Verge

Join Our WhatsApp, Facebook, or Telegram Group For More News, Click This Link Below;

WhatsApp Channel

https://whatsapp.com/channel/0029VaTsG6L60eBZ0fm9Za1O


WhatsApp Group

https://chat.whatsapp.com/DCV43KxQ6PZDj66acQ7ULM


Facebook Page

https://facebook.com/allmediaconnect


Our Twitter Page

https://www.twitter.com/allmediaconnect
Telegram Group

https://t.me/allmediaconnect

You may also like

One thought on “Windows Hello Fingerprint Authentication Vulnerabilities Expose Major Security Risks

  1. Pingback: Tiny11: Windows 11’s Lightweight Version Sheds Size and Gains Windows Copilot in Latest Update – AllMediaConnect – Tech News and Affiliate Hub

Leave a Reply

Your email address will not be published. Required fields are marked *