Windows Hello fingerprint authentication bypassed
Microsoft’s Offensive Research and Security Engineering (MORSE) has engaged Blackwing Intelligence's security researchers to assess the security of the top three fingerprint sensors integrated into laptops. The researchers have identified several vulnerabilities in widely used fingerprint sensors, enabling a complete bypass of Windows Hello fingerprint authentication.
Jesse D'Aguanno and Timo Teräs, researchers associated with Blackwing, presented their discoveries at Microsoft’s BlueHat conference in October. Their inquiry zeroed in on widely used fingerprint sensors, specifically those manufactured by Goodix, Synaptics, and ELAN, as found in Microsoft Surface Pro X, Lenovo ThinkPad T14, and Dell Inspiron 15. The researchers detailed the intricate process of creating a USB device capable of carrying out a man-in-the-middle (MitM) attack in a published blog post. This type of attack holds the potential to provide unauthorized access to unattended devices.
What is Windows Hello?
Windows Hello is a biometric authentication feature introduced by Microsoft as part of the Windows 10 operating system. It provides a secure and convenient way for users to access their devices and applications without using traditional passwords. Windows Hello supports various biometric authentication for Windows devices using fingerprints, faces, or irises.
Understanding the technology behind Windows Hello Fingerprint
Each of the tested fingerprint sensors incorporates Match-on-Chip (MoC) technology, featuring an independent microprocessor and storage within the chip to securely perform fingerprint matching.
Although MoC sensors prevent the replay of stored fingerprint data to the host, they do not inherently prevent a malicious sensor from mimicking a legitimate sensor's communication with the host. This could result in a false indication of successful user authentication or the replay of previously observed traffic between the host and sensor.
To address potential exploits of these vulnerabilities, Microsoft introduced the Secure Device Connection Protocol (SDCP). The purpose of SDCP was to ensure the trustworthiness and health of the fingerprint device and to safeguard the communication between the fingerprint device and the host on the targeted devices.
However, despite these preventive measures, security researchers were able to successfully bypass Windows Hello authentication on all three laptops using man-in-the-middle (MiTM) attacks. This was accomplished by leveraging a custom Linux-powered Raspberry Pi 4 device.
Blackwing Intelligence explaining how the fingerprint bypass was made possible. Video source: YouTube
Process leading to Windows Hello Fingerprint Bypass
Throughout the investigation, the researchers employed a combination of software and hardware reverse-engineering techniques. They identified cryptographic implementation flaws in the custom TLS protocol of the Synaptics sensor, decoding and re-implementing proprietary protocols.
On Dell and Lenovo laptops, the authentication bypass was accomplished by enumerating valid IDs and enrolling the attacker's fingerprint using the ID of a legitimate Windows user. The Synaptics sensor, in this case, utilized a custom TLS stack instead of SDCP for securing USB communication.
For the Surface device, the ELAN fingerprint sensor lacked SDCP protection, utilized cleartext USB communication, and lacked authentication. The researchers exploited these vulnerabilities by spoofing the fingerprint sensor after disconnecting the Type Cover containing the sensor. Subsequently, they sent valid login responses from the spoofed device.
In simpler terms, the researchers discovered that these fingerprint sensor vulnerabilities could enable hackers to intercept and manipulate data exchanged between the fingerprint sensor and Windows Hello software. This implies that hackers could potentially spoof your fingerprint, gaining access to your computer without your knowledge.
Recommended Solution
The researchers propose that original equipment manufacturers (OEMs) take proactive steps to enhance security. They recommend ensuring the activation of the Secure Device Connection Protocol (SDCP) for fingerprint sensors and undergoing a thorough audit of the fingerprint sensor implementation by a qualified expert.
This suggests that companies producing these devices should confirm that the security feature known as Secure Device Connection Protocol (SDCP) is activated for their fingerprint sensors. Additionally, they should seek the expertise of qualified professionals to scrutinize the implementation of the fingerprint sensor for security vulnerabilities.
For users, it is advisable to update their Windows Hello software promptly. To mitigate the risk associated with this vulnerability, users should also refrain from using fingerprint authentication on public computers. This proactive approach can contribute to safeguarding against potential security breaches.
REFERENCE
- A Touch of PWN – Part I by Jesse D'Aguanno, Timo Teräs, Blackwing Intelligence
- Researches able to bypass Windows Hello fingerprint authentication on Dell, Lenovo, and Surface laptops by Devash Beri, MSPowerUser
- Microsoft’s Windows Hello fingerprint authentication has been bypassed by Tom Warren, The Verge
- Windows Hello auth bypassed Microsoft, Dell, Lenovo laptops by Sergiu Gatlan, Bleeping Computer
About the Author
Ruben George