- This Week in Scams: $16.6 Billion Lost, Deepfakes Rise, and Google Email Scams Emerge | McAfee Blog
- Proof-of-concept bypass shows weakness in Linux security tools, claims Israeli vendor
- SAP NetWeaver customers urged to deploy patch for critical zero-day vulnerability
- Lenovo targets AI workloads with massive storage update
- Girls Power Tech Inspires the Next Generation of Tech Leaders
Windows Hello Fingerprint Tech is Hacked
Security researchers have found a way to bypass the popular Windows Hello fingerprint authentication technology, after discovering multiple vulnerabilities.
Microsoft’s Offensive Research and Security Engineering (MORSE) asked Blackwing Intelligence to evaluate the security of the top three fingerprint sensors embedded in laptops.
The firm studied a Dell Inspiron 15, a Lenovo ThinkPad T14 and a Microsoft Surface Pro X, and more specifically fingerprint sensors made by ELAN, Synaptics and Goodix.
The Blackwing team then conducted “extensive reverse engineering” of software and hardware, during which they found cryptographic implementation flaws in a custom TLS, and deciphered and reimplemented proprietary protocols.
Read more on Windows Hello: #BHUSA: Windows Hello Passwordless Bypass Revealed
All three sensors featured Match-on-Chip (MoC) technology which is designed to provide extra security by ensuring fingerprint matching is done on the processor. Microsoft created the Secure Device Connection Protocol (SDCP) as an added layer of protection. The protocol is meant to prevent a compromised OS from authorizing use of user keys when the user is not present.
However, the researchers were able to completely bypass authentication on all three laptops using man-in-the-middle attacks carried out with a Raspberry Pi 4.
“Microsoft did a good job designing SDCP to provide a secure channel between the host and biometric devices, but unfortunately device manufacturers seem to misunderstand some of the objectives,” the researchers concluded.
“Additionally, SDCP only covers a very narrow scope of a typical device’s operation, while most devices have a sizable attack surface exposed that is not covered by SDCP at all. Finally, we found that SDCP wasn’t even enabled on two out of three of the devices we targeted.”
Blackwing Intelligence urged manufacturers to ensure SDCP is enabled on their devices, and that they reach out to a third-party auditor to check that the implementation is correct.
Image credit: Melnikov Dmitriy / Shutterstock.com
