Researchers Undermine 'Windows Hello' on Lenovo, Dell, Surface Pro PCs

Researchers have figured out how to compromise three of the most common fingerprint readers used by today's PCs.

With support from Microsoft, analysts from Blackwing Intelligence attempted to subvert the biometric security offered by three sample laptops: a Dell Inspiron 15, a Lenovo ThinkPad T14, and the Microsoft Surface Pro 8/X. In the course of the study, they discovered ways to exploit each of the three brands of print sensors used by those devices for Microsoft's sign-in service, "Windows Hello."

Each such exploit required that a user already had fingerprint authentication enabled, and that the attacker had physical access to the device.

Though the sensors themselves read fingerprints perfectly well, the analysts were able to take advantage of the line of communication between those sensors and their host devices.

Though neither he nor Dark Reading could confirm it as of this writing, Jesse D'Aguanno, CEO and director of research at Blackwing Intelligence, told this publication that the manufacturers — Goodix, Synaptics, and Elan — have since patched their chips.

How to Subvert Fingerprint Sensors

By default, Windows Hello requires that fingerprint readers are "match-on-chip" (MoC), as opposed to "match-on-host" (MoH). MoC means that they have microprocessors and storage built in, eliminating the need to process and store sensitive biometric data on the host computer. That way privacy is maintained, even if the host is compromised.

While MoC might prevent a hacker from obtaining access using a stored copy of fingerprint data, it doesn't on its own prevent a malicious sensor from stepping in for the legitimate one and claiming a successful authentication attempt, or simply replaying a previously successful attempt.

To secure end-to-end communication between sensor and host, Microsoft developed the Secure Device Connection Protocol (SDCP). However, two of the three readers in question did not have SDCP enabled by default, and a third suffered from imperfect implementation.

Because Elan sensors didn't have SDCP turned on, for example, and because they transmitted security IDs in cleartext, the researchers were able to simply use a USB as a stand-in, convincing the host machine of an authorized login.

Synaptics also skimped on SDCP protection, and for Goodix-protected computers with both Windows and Linux installed, the researchers were able to more circuitously take advantage of the fact that Linux doesn't support SDCP.

Potentially a Bigger Picture

D'Aguanno's study was limited to three laptops, serviced by three models of fingerprint reader. It's possible that the similar kinds of vulnerabilities remain undiscovered and unaddressed in more chips, and more computers around the world that rely on them.

"Whether it's other manufacturers or other environments like Linux, or in the Apple ecosystem, there's potential there as well, of course," D'Aguanno says.

For what it's worth, though, his research hasn't spoiled his faith in biometrics.

"There are a lot of security professionals that think biometrics are really bad, inherently. I actually feel like appropriate use of biometrics can bolster security in a lot of ways," he says. "It can allow you to choose a longer, more secure password that then is also used for other security mechanisms like generating more secure encryption keys for securing your data. So the use of biometrics then gives you that level of convenience."