Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Endpoint Security

Windows Hello Fingerprint Authentication Bypassed on Popular Laptops

Researchers have tested the fingerprint sensors used for Windows Hello on three popular laptops and managed to bypass them.

Security researchers have tested the fingerprint sensors used for Windows Hello on three popular laptops and managed to find a way to bypass authentication on each device.

The research was conducted by security engineering and research services provider Blackwing Intelligence and Microsoft’s Offensive Research and Security Engineering (MORSE).

The targets were a Dell Inspiron 15 with a Goodix fingerprint sensor, a Lenovo ThinkPad T14s with the Synaptics sensor, and a Microsoft Surface Pro X, which has an ELAN sensor. 

The embedded fingerprint sensors and the host were targeted with software and hardware attacks. 

All the tested sensors are Match-on-Chip, which means the chip has a microprocessor and memory, and the fingerprint data never leaves the sensor. The chip itself needs to be attacked in order to bypass authentication. 

The attack requires physical access to the targeted device — the attacker would have to steal the device or use the evil maid method

The attacks demonstrated by the researchers were conducted by connecting a hacking device to each laptop, via USB or by connecting the fingerprint sensor to a specially crafted rig.

In the case of the Dell and Lenovo laptops, Windows Hello fingerprint authentication was bypassed by enumerating valid IDs associated with user fingerprints, and enrolling the attacker’s fingerprint by spoofing a legitimate user’s ID.

Advertisement. Scroll to continue reading.

In the case of the Surface device, the attacker needs to unplug the Type Cover, which is basically the keyboard and also includes the fingerprint sensor, and connect a USB device that spoofs the fingerprint sensor and instructs the system that an authorized user is logging in.

A blog post describing a part of the findings was published on Tuesday by Blackwing. In addition, Microsoft has made public a video where Blackwing researchers presented their findings at the tech giant’s BlueHat conference in October. 

Related: Microsoft Warns of Persistent Windows Hello for Business Orphaned Keys

Related: Vulnerability in IDEMIA Biometric Readers Allows Hackers to Unlock Doors

Related: Token Gets $30M Funding for Biometrics MFA Smart Ring

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Learn about active threats targeting common cloud deployments and what security teams can do to mitigate them.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Endpoint Security

Today, on January 10, 2023, Windows 7 Extended Security Updates (ESU) and Windows 8.1 have reached their end of support dates.

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Endpoint Security

Gigabyte has announced BIOS updates that remove a recently identified backdoor feature in hundreds of its motherboards.

Endpoint Security

Several major companies have published advisories in response to the Downfall vulnerability affecting Intel CPUs.

Application Security

Microsoft on Tuesday pushed a major Windows update to address a security feature bypass already exploited in global ransomware attacks.The operating system update, released...

CISO Strategy

Varied viewpoints as related security concepts take on similar traits create substantial confusion among security teams trying to evaluate and purchase security technologies.

Endpoint Security

The Zero Day Dilemma

Endpoint Security

When establishing visibility and security controls across endpoints, security professionals need to understand that each endpoint bears some or all responsibility for its own...