Security researchers have tested the fingerprint sensors used for Windows Hello on three popular laptops and managed to find a way to bypass authentication on each device.
The research was conducted by security engineering and research services provider Blackwing Intelligence and Microsoft’s Offensive Research and Security Engineering (MORSE).
The targets were a Dell Inspiron 15 with a Goodix fingerprint sensor, a Lenovo ThinkPad T14s with the Synaptics sensor, and a Microsoft Surface Pro X, which has an ELAN sensor.
The embedded fingerprint sensors and the host were targeted with software and hardware attacks.
All the tested sensors are Match-on-Chip, which means the chip has a microprocessor and memory, and the fingerprint data never leaves the sensor. The chip itself needs to be attacked in order to bypass authentication.
The attack requires physical access to the targeted device — the attacker would have to steal the device or use the evil maid method.
The attacks demonstrated by the researchers were conducted by connecting a hacking device to each laptop, via USB or by connecting the fingerprint sensor to a specially crafted rig.
In the case of the Dell and Lenovo laptops, Windows Hello fingerprint authentication was bypassed by enumerating valid IDs associated with user fingerprints, and enrolling the attacker’s fingerprint by spoofing a legitimate user’s ID.
In the case of the Surface device, the attacker needs to unplug the Type Cover, which is basically the keyboard and also includes the fingerprint sensor, and connect a USB device that spoofs the fingerprint sensor and instructs the system that an authorized user is logging in.
A blog post describing a part of the findings was published on Tuesday by Blackwing. In addition, Microsoft has made public a video where Blackwing researchers presented their findings at the tech giant’s BlueHat conference in October.