Microsoft’s Offensive Research and Security Engineering (MORSE) asked the cybersecurity company to evaluate the security of its fingerprint sensors. In October, the researchers provided their findings in a presentation at the tech giant’s BlueHat conference. Fingerprint sensors are now widely used by Windows laptop users. Microsoft has also pushed Windows Hello for a passwordless future.
A few years ago, Microsoft revealed that nearly 85% of consumers were using Windows Hello to sign into Windows 10 devices instead of using a password. It is important to note that Microsoft also counts a simple PIN as Windows Hello.
Vulnerabilities in Windows Hello authentication system
The security team identified popular fingerprint sensors from Goodix, Synaptics and ELAN as targets for the research. In a blog post, the company explained how a USB device can be built to perform a man-in-the-middle (MITM) attack. Such an attack could provide access to a stolen laptop, or even an “evil maid” attack on an unattended device.
Laptop models including Dell Inspiron 15, Lenovo ThinkPad T14 and Microsoft Surface Pro X
were affected by the fingerprint reader attacks. This allowed the researchers to bypass the Windows Hello protection as long as the fingerprint authentication had been set up on a device earlier.
The research team reverse-engineered both software and hardware and discovered cryptographic implementation flaws in a custom TLS on the Synaptics sensor. The complicated process to bypass Windows Hello also involved decoding and reimplementing proprietary protocols.
This isn’t the first time that Windows Hello biometrics-based authentication has been bypassed. In 2021, the company was forced to fix a Windows Hello authentication bypass vulnerability after a proof-of-concept involving capturing an infrared image of a victim to spoof Windows Hello’s facial recognition feature surfaced.
Denial of responsibility! TechCodex is an automatic aggregator of the all world’s media. In each content, the hyperlink to the primary source is specified. All trademarks belong to their rightful owners, and all materials to their authors. For any complaint, please reach us at – [email protected]. We will take necessary action within 24 hours.
Alex Smith is a writer and editor with over 10 years of experience. He has written extensively on a variety of topics, including technology, business, and personal finance. His work has been published in a number of magazines and newspapers, and he is also the author of two books. Alex is passionate about helping people learn and grow, and he believes that writing is a powerful tool for communication and understanding.