Photo: Canadian Reviewer
Researchers have found security flaws in several fingerprint sensors used in laptops that work with the Windows Hello authentication feature. These flaws can allow bad actors to bypass fingerprint authentication easily and take control of the devices.
The researchers from Blackwing Intelligence tested laptops from Dell, Lenovo, and Microsoft, which use fingerprint sensors from companies like Goodix, Synaptics, and ELAN. They revealed various attacks that can affect these laptops, such as man-in-the-middle and evil maid attacks, at Microsoft’s BlueHat conference in October.
The researchers noted that the bypassing involved reverse engineering of the hardware and software on the laptops. They found flaws in the security layer of the Synaptics sensor, in particular. Windows Hello had to be decoded and restructured to get past its setup, but it was still hackable.
The researchers also noted that Microsoft’s Secure Device Connection Protocol (SDCP) is a good attempt at applying a security measure within the biometric standard. It enables more secure communication between the biometric sensor and its laptop. However, not all manufacturers implemented the feature well enough to be effective, if they enabled it at all.
This study follows a 2021 facial recognition biometrics flaw in Windows Hello that allowed users to bypass the feature with certain modifications. Microsoft had to update its feature after researchers presented a proof of concept showing users with masks or plastic surgery bypassing Windows Hello facial recognition authentication.