There are some news to share with Windows users regarding the Hello biometric authentication. Security researchers from Blackwing Intelligence have identified several flaws in Windows Hello fingerprint authentication, affecting laptops from Dell, Lenovo, and Microsoft itself. These findings highlight potential security risks in the widely used fingerprint sensors employed by businesses for securing Windows Hello-enabled laptops. It is something crucial to take note of, especially being in an online world where security breach often occurs and places our data privacy at a vulnerable state. Continue reading to discover more details about the flaws in Windows Hello fingerprint authentication and the things that must are being concerned.
Before the Discovery of Flaws in Windows Hello Fingerprint Authentication
Three years back, Microsoft disclosed that almost 85% of users opted for Windows Hello for signing into Windows 10 devices rather than relying on a password. It’s noteworthy that Microsoft includes a basic PIN as part of the Windows Hello statistics. As mentioned in the beginning, many businesses utilise Windows Hello to secure their laptops.
Holding a vast user base, The Offensive Research and Security Engineering (MORSE) team at Microsoft enlisted Blackwing Intelligence to assess the security of fingerprint sensors. The results of this evaluation were presented by the researchers at Microsoft’s BlueHat conference in October.
Also Read: Ignite Conference 2023: Microsoft Announces Two Custom AI Chips That Could Battle Against NVIDIA
What Are the Flaws in Windows Hello Fingerprint Authentication?
The identified vulnerabilities enabled the researchers to circumvent Windows Hello authentication on all three devices. Surprisingly, the embedded fingerprint sensor in Microsoft’s Surface Type Cover, typically assumed to have robust security measures, proved to be one of the most easily bypassed.
The security analysts conducted their assessments on a Dell Inspiron 15 equipped with a Goodix fingerprint sensor, a Lenovo ThinkPad featuring a Synaptics sensor, and an ARM-based Surface Pro X using an ELAN sensor in the Type Cover. Initial evaluations indicated that the Lenovo ThinkPad exhibited superior encrypted host-to-sensor communication and overall better code quality compared to the other two devices. Nevertheless, the researchers had to devise distinct methods to circumvent the security measures of these three fingerprint sensors.
Also Read: How Microsoft Is Making a Mess of the News After Replacing Staff with AI
Three Flaws Found on Three Devices
1. The vulnerability on the Dell Inspiron 15 involves a USB Man in the Middle (MitM) attack, wherein a configuration packet is altered to direct to a Linux database instead of a Windows one. This manipulation circumvents Microsoft’s Secure Device Connection Protocol (SDCP), which is designed for secure communication with fingerprint sensors.
2. For the Lenovo ThinkPad, the researchers discovered that the Synaptics sensor employs a less secure custom Transport Security Layer (TLS) instead of Microsoft’s SDCP protocol. Additionally, they observed that the client certificate and key of the sensor are accessible to anyone, posing a security risk.
3. Finally, the fingerprint sensor integrated into the Microsoft Surface Pro X Type Cover was seemingly the most susceptible to compromise. The researchers were able to compromise it by disconnecting the fingerprint sensor and connecting an attack device that mimicked the sensor by spoofing its vendor ID and product ID.
The Feedback From the Researchers Regarding the Flaws in Windows Hello Fingerprint Authentication
In their findings, the security researchers recommended that manufacturers of biometric sensors ensure the activation of Microsoft’s Secure Device Connection Protocol (SDCP) to facilitate secure communication with fingerprint sensors. Notably, two of the analysed fingerprint sensors were found to have SDCP disabled.
“Microsoft effectively designed SDCP to establish a secure channel between the host and biometric devices; however, device manufacturers appear to misinterpret certain objectives. Furthermore, SDCP addresses only a limited scope of a typical device’s operation, leaving a substantial attack surface exposed that remains entirely outside the coverage of SDCP,” clarified the researchers. “Additionally, SDCP only covers a very narrow scope of a typical device’s operation, while most devices have a sizable attack surface exposed that is not covered by SDCP at all.”
The Worry on the Security Robustness Based on the Flaws in Windows Hello Fingerprint Authentication
The flaws in Windows Hello fingerprint authentication marks not the initial instance of Windows Hello biometrics-based authentication being compromised. In 2021, Microsoft had to address a vulnerability in Windows Hello authentication, prompted by a proof-of-concept that demonstrated the bypass by capturing an infrared image of a victim to mimic Windows Hello’s facial recognition feature. And coming back to the flaws in Windows Hello fingerprint authentication, it remains uncertain whether Microsoft can address these recent vulnerabilities on their own.
Yet, although the flaws in Windows Hello fingerprint authentication exist for now, it’s essential to emphasise that employing Windows Hello biometric authentication is still more secure than relying on a password. However, recent discoveries indicate it may not be as secure as initially believed. Nonetheless, having cybersecurity experts scrutinise the implementation of these systems is crucial for enhancing overall security. It is believed that Microsoft is currently addressing these issues, although the resolution may take some time. The increasing apprehension regarding privacy and security issues, especially in the face of various data breaches, is thought to act as a driving force expediting the resolution process.
When it comes to privacy and security issues, WhatsApp, the platform owned by Meta, has been proactively enhancing this aspect throughout the year. Explore this link for details on the updates they’ve implemented to safeguard users’ IP addresses.