Security Researchers Discover Multiple Vulnerabilities in Windows Hello Fingerprint Authentication

Microsoft recently asked cybersecurity researchers at Blackwing Intelligence to put Windows Hello biometric authentication to the test. After three months of research, the company has now published its findings (via The Verge) and revealed that three fingerprint sensors in Dell, Lenovo, and Microsoft devices have security flaws.

The vulnerabilities allowed the researchers to bypass Windows Hello authentication on all three devices. And the embedded fingerprint sensor in Microsoft’s Surface Type Cover, which you would believe has top-notch security protections, turned out to be one of the easiest to bypass.

The security researchers carried out their tests on a Dell Inspiron 15 with a fingerprint sensor from Goodix, a Lenovo Thinkpad with a sensor from Synaptics, and an ARM-based Surface Pro X with a sensor (in the Type Cover) from ELAN. Their initial analysis pointed out that the Lenovo Thinkpad was the only device to offer encrypted host-to-sensor communication and overall better code quality than the other two devices. However, the researchers had to find unique methods to bypass the security of these three fingerprint sensors.

• On the Dell Inspiron 15, the exploit relies on a USB Man in the Middle attack that rewrites a configuration packet to point to a Linux database instead of a Windows one, avoiding Microsoft’s Secure Device Connection Protocol (SDCP) that enables secure communications with fingerprint sensors.
• On the Lenovo ThinkPad, the researchers found that the Synaptics sensor uses a less secure custom Transport Security Layer (TLS) instead of Microsoft’s SDCP protocol, and they found out that its client certificate and key are readable by anyone.
• Lastly, the fingerprint sensor on the Microsoft Surface Pro X Type Cover was apparently the easiest to compromise. The researchers simply needed to disconnect the fingerprint sensor and plug in an attack device that claimed to be the sensor by spoofing its vendor ID and product ID.

In their conclusions, the security researchers urged vendors of biometric sensors to make sure that Microsoft’s Secure Device Connection Protocol (SDCP) is enabled to enable secure communications with fingerprint sensors. Indeed, two of the fingerprint sensors that they analyzed came with SDCP disabled.

“Microsoft did a good job designing SDCP to provide a secure channel between the host and biometric devices, but unfortunately device manufacturers seem to misunderstand some of the objectives. Additionally, SDCP only covers a very narrow scope of a typical device’s operation, while most devices have a sizable attack surface exposed that is not covered by SDCP at all,” the researchers explained.

It’s still worth reminding that using Windows Hello biometric authentication remains more secure than using a password. It’s just not as secure as we thought, but that’s why having cybersecurity experts analyze how these systems are implemented is good for improving security.