Researchers Undermine 'Windows Hello' on Lenovo, Dell, Surface Pro PCs

Biometric security on PCs isn't quite as bulletproof as you might think, as the line between sensors and host computers can be tampered with.

3 Min Read
Fingerprint with 1s and 0s emanating from it
Source: Panther Media via Alamy Stock Photo

Researchers have figured out how to compromise three of the most common fingerprint readers used by today's PCs.

With support from Microsoft, analysts from Blackwing Intelligence attempted to subvert the biometric security offered by three sample laptops: a Dell Inspiron 15, a Lenovo ThinkPad T14, and the Microsoft Surface Pro 8/X. In the course of the study, they discovered ways to exploit each of the three brands of print sensors used by those devices for Microsoft's sign-in service, "Windows Hello."

Each such exploit required that a user already had fingerprint authentication enabled, and that the attacker had physical access to the device.

Though the sensors themselves read fingerprints perfectly well, the analysts were able to take advantage of the line of communication between those sensors and their host devices.

Though neither he nor Dark Reading could confirm it as of this writing, Jesse D'Aguanno, CEO and director of research at Blackwing Intelligence, told this publication that the manufacturers — Goodix, Synaptics, and Elan — have since patched their chips.

How to Subvert Fingerprint Sensors

By default, Windows Hello requires that fingerprint readers are "match-on-chip" (MoC), as opposed to "match-on-host" (MoH). MoC means that they have microprocessors and storage built in, eliminating the need to process and store sensitive biometric data on the host computer. That way privacy is maintained, even if the host is compromised.

While MoC might prevent a hacker from obtaining access using a stored copy of fingerprint data, it doesn't on its own prevent a malicious sensor from stepping in for the legitimate one and claiming a successful authentication attempt, or simply replaying a previously successful attempt.

To secure end-to-end communication between sensor and host, Microsoft developed the Secure Device Connection Protocol (SDCP). However, two of the three readers in question did not have SDCP enabled by default, and a third suffered from imperfect implementation.

Because Elan sensors didn't have SDCP turned on, for example, and because they transmitted security IDs in cleartext, the researchers were able to simply use a USB as a stand-in, convincing the host machine of an authorized login.

Synaptics also skimped on SDCP protection, and for Goodix-protected computers with both Windows and Linux installed, the researchers were able to more circuitously take advantage of the fact that Linux doesn't support SDCP.

Potentially a Bigger Picture

D'Aguanno's study was limited to three laptops, serviced by three models of fingerprint reader. It's possible that the similar kinds of vulnerabilities remain undiscovered and unaddressed in more chips, and more computers around the world that rely on them.

"Whether it's other manufacturers or other environments like Linux, or in the Apple ecosystem, there's potential there as well, of course," D'Aguanno says.

For what it's worth, though, his research hasn't spoiled his faith in biometrics.

"There are a lot of security professionals that think biometrics are really bad, inherently. I actually feel like appropriate use of biometrics can bolster security in a lot of ways," he says. "It can allow you to choose a longer, more secure password that then is also used for other security mechanisms like generating more secure encryption keys for securing your data. So the use of biometrics then gives you that level of convenience."

About the Author(s)

Nate Nelson, Contributing Writer

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights