Microsoft's "Windows Hello" is not as secure as expected
Security firm discovers loopholes in fingerprint sensors - and was able to gain access to Windows laptops. This was apparently achieved without much effort.
Since Windows 10, users have been using "Windows Hello" technology to log in to their devices. In addition to a PIN code, users can also authenticate themselves using biometric means, such as a fingerprint. As there are numerous different manufacturers of Windows laptops, different fingerprint sensors are also used.
However, this authentication method can apparently be circumvented - with relatively simple means. This was discovered by the security company "Blackwing". The reason for this are several vulnerabilities in several fingerprint sensors.
USB device bypasses fingerprint lock
The affected fingerprint sensors come from the manufacturers Goodix, Synaptics and ELAN. Their sensors are used in laptops from Dell, Lenovo and Microsoft, among others. Blackwing was commissioned by Microsoft to investigate a Dell Inspiron 15, a Lenovo ThinkPad T14 and a Surface Pro X from Microsoft.
Source: Florian Bodoky
Blackwing managed to trigger a man-in-the-middle attack (MITM) using a prepared USB device. As soon as the USB stick was inserted, it granted access to the notebook if fingerprint login was activated. This is estimated to be the case for 85 per cent of all notebooks - not least because Microsoft is strongly promoting passkey technology. The MITM took place in the interface between the fingerprint scanner and the host - where Blackwing was able to localise it.
According to the company, this suggests that the vulnerability is not entirely Microsoft's fault. This is because the company has developed the Secure Device Connection Protocol (SDCP) for secure data exchange between the sensor and host. According to Blackwing, the manufacturers do not really understand how the SDCP works. The protocol was not even activated on two of the three devices tested. Blackwing recommends that notebook manufacturers ensure that the SDCP is activated and correctly implemented in the fingerprint sensor.
Microsoft, meanwhile, is on the losing end as far as the vulnerability is concerned. However, they also need to look at themselves: The Surface Pro X was also one of the notebooks on which SDCP was not activated.
Cover image. Shutterstock
I've been tinkering with digital networks ever since I found out how to activate both telephone channels on the ISDN card for greater bandwidth. As for the analogue variety, I've been doing that since I learned to talk. Though Winterthur is my adoptive home city, my heart still bleeds red and blue.