A growing number of Windows laptops feature fingerprint sensors with support for Microsoft’s Windows Hello technology. The idea is to let users login quickly by tapping a finger against the sensor rather than typing in a password or PIN.
But security researchers at Blackwing Intelligence have found “multiple vulnerabilities” in the implementation of these fingerprint sensors that allow them to login without the correct fingerprint.
Not only is Microsoft aware of the vulnerabilities – the company actually asked Blackwing to try to find vulnerabilities in “the top three fingerprint sensors embedded in laptops and used for Windows Hello fingerprint authentication,” including sensors from Goodix, Synaptic, and ELAN.
To do that, the team targeted a Dell Inspiron 15, Lenovo ThinkPad T14, and Microsoft Surface Pro Type Cover with Fingerprint ID… and was able to bypass Windows Hello authentication on all three.
You can write a detailed process of how they searched for, found, and exploited security vulnerabilities in a blog post or by watching a video of Blackwing’s presentation at the Microsoft’s BlueHat security conference in October.
In a nutshell though, the hacks tended to involve convincing the fingerprint sensor that a different fingerprint than the one enabled by the Windows Hello user was legitimate.
To do that, the security researches took steps like disconnecting a fingerprint sensor from a Windows laptop, connecting it to a Raspberry Pi 4 computer running Linux and then running some MitM (Man in the Middle) code that identified valid fingerprints in the Windows database and allowed a user to enroll a new fingerprint into that database.
After that’s complete, the attacker can login using their own fingerprint, and Windows will think it’s the legitimate user.
While it took the team three months to discover and exploit these vulnerabilities, they report that they now have “three 100% reliable bypasses of Windows Hello authentication.”
Why was it so (relatively) easy? First, while Windows Hello is designed to make use of a Secure Device Connection Protocol (SDCP) that Blackwing researchers is pretty good at providing “a secure channel between the host and biometric devices,” two out of the three devices they targeted didn’t even have SDCP enabled. And SDCP only covers part of the attack surface, meaning that even on devices that do have it enabled, there are plenty of other places to look for vulnerabilities.
Blackwire’s recommendations? All companies that produce Window Hello-compatible fingerprint sensors should turn on SDCP… and hire security researchers to look for other vulnerabilities that should be patched.
It’s unclear whether the vulnerabilities that were discovered will be patched anytime soon, so if you’re concerned about security, you might want to consider switching to a PIN or unique password. If you’re more concerned with convenience, then I suppose you can just hope that nobody with the know-how and motivation gets their hands on your laptop anytime soon.
via The Verge
Seriously guys, using a mac is an infinitely safer and better experience. I used to buy top of the line gaming laptops with 4090 i9 overclocked graphics, max ram etc and my macbook air 15 is infinitely faster, easier to use and a way more pleasant experience.
When someone is able to physically install a Rpi4 to implement a man-in-the-middle attack on your laptop, you probably have more problems that fingerprint authentication.
Except for scenarios where your laptop has been stolen.
I’ve never enabled the Windows Hello feature for any laptops I’ve owned with fingerprint scanners equipped, mostly because the fingerprint scanners themselves have been very poor in quality. My current Asus Vivobook OLED model fails to read my fingerprint at least 1 out of every 4 attempts.
My last Dell laptop came with a fingerprint scanner I wasn’t expecting. Dell’s website is hardly a model of clarity. I used it for awhile, but it really isn’t that much more convenient than simply typing in a password. I’m glad I didn’t specifically look for a model with a fingerprint scanner and pay extra.
All the more reason to prefer hardware security keys or smart cards.
Since, you know, that’s just confirmation that Microsoft is collecting people’s faces and fingerprints.
Actually that was a stupid thing to say, the article said Windows Database, not Microsoft Database, but still, security keys are plenty convenient.
I wouldn’t even trust TPM, cause those keys can be extracted. I still think good old-fashioned passwords + VeraCrypt is the way to go. Besides, I would never let Microsoft get ahold of my biometrics.
I hope this post helps someone, as I found this through research and trial and error. I just want to help others. I recently abandoned linux cause I was tired of the bugs. I found this combination works extremely well for me in Windows 11.
I use VeraCrypt for disk encryption, TinyWall which blocks windows updates, and so far seems to block ALL telemetry going out. I used Microsoft’s own winget to uninstall the Microsoft Store, Cortana, Photos, and XBox stuff. I disabled Windows Defender and restored the classic right-click context menu.
All-in-all, I’m quite happy with my setup. Windows is much faster after doing all that, and everything just works. I uninstalled Photos cause they use A.I. to scan your photos like Apple does. I use Irfanview instead. For disc burning, I use CDBurnerXP.
All in all, I’m QUITE happy with this setup. You don’t need things like OOShutUp or other third party utilities to block telemetry/updates, just use TinyWall.
Windows is sane now. Without those above steps, I’d really despise Windows to be honest.
Funny thing is, Windows is desperately trying to install a “security” update that includes CoPilot, but it’s forever stuck at downloading 0% because of TinyWall. I personally would never allow that on my system.
In TinyWall, you can uncheck Windows Update so it wont download anything. If you need updates, you can use the Microsoft Update Catalog and manually install updates, no need for Windows Update.
I really hope this post helps someone, cause after doing those things, I’m a pretty happy camper with Windows again.
You don’t need biometrics. Just use a decent password with VeraCrypt. Don’t buy into all the hype, just use the grey matter inside your skull and THINK about things. 🙂
Oh, and make sure to disable the services “Connected User Experiences and Telemetry” or something like that, and “dmwappushservice”. Those are the telemetry services.
I don’t know if Microsoft will close those holes in the future and make it more difficult to disable that stuff as I outlined. But for now, I’m pretty happy.
Hope this helps someone.
Don’t forget the tinfoil hat.
“Don’t forget the tinfoil hat.”
That is absurd.
Because everybody knows tin foil is insufficient! You need at least Wolfram.
“Don’t forget the tinfoil hat.”
He says as he chows down on his bigMac while changing his profile picture from a Ukraine flag to an Israel flag.