The Information Highway

The Information Highway

Font size: +
2 minutes reading time (497 words)

Windows Hello auth bypassed on Microsoft, Dell, Lenovo laptops

Security researchers bypassed Windows Hello fingerprint authentication on Dell Inspiron, Lenovo ThinkPad, and Microsoft Surface Pro X laptops in attacks exploiting security flaws found in the embedded fingerprint sensors. 

Blackwing Intelligence security researchers discovered vulnerabilities during research sponsored by Microsoft's Offensive Research and Security Engineering (MORSE) to assess the security of the top three embedded fingerprint sensors used for Windows Hello fingerprint authentication.

Blackwing's Jesse D'Aguanno and Timo Teräs targeted embedded fingerprint sensors made by ELAN, Synaptics, and Goodix on Microsoft Surface Pro X, Lenovo ThinkPad T14, and Dell Inspiron 15.

All tested fingerprint sensors were Match-on-Chip (MoC) sensors with their own microprocessor and storage, allowing fingerprint matching to be performed securely within the chip.

However, while MoC sensors prevent the replay of stored fingerprint data to the host for matching, they do not inherently stop a malicious sensor from mimicking a legitimate sensor's communication with the host. This could falsely indicate successful user authentication or replay previously observed traffic between the host and sensor.

To counteract attacks that would exploit these weaknesses, Microsoft developed the Secure Device Connection Protocol (SDCP), which should've ensured that the fingerprint device was trusted and healthy and that the input between the fingerprint device and the host was protected on the targeted devices.

Despite this, the security researchers successfully bypassed Windows Hello authentication using man-in-the-middle (MiTM) attacks on all three laptops, leveraging a custom Linux-powered Raspberry Pi 4 device.

Throughout the process, they used software and hardware reverse-engineering, broke cryptographic implementation flaws in Synaptics sensor's custom TLS protocol, and decoded and re-implemented proprietary protocols.

On Dell and Lenovo laptops, authentication bypass was achieved by enumerating valid IDs and enrolling the attacker's fingerprint using the ID of a legitimate Windows user (the Synaptics sensor used a custom TLS stack instead of SDCP to secure USB communication).

For the Surface device, whose ELAN fingerprint sensor had no SDCP protection, used cleartext USB communication, and had no authentication, they spoofed the fingerprint sensor after disconnecting the Type Cover containing the sensor and sent valid login responses from the spoofed device.

"Microsoft did a good job designing SDCP to provide a secure channel between the host and biometric devices, but unfortunately device manufacturers seem to misunderstand some of the objectives," the researchers said.

On Dell and Lenovo laptops, authentication bypass was achieved by enumerating valid IDs and enrolling the attacker's fingerprint using the ID of a legitimate Windows user (the Synaptics sensor used a custom TLS stack instead of SDCP to secure USB communication).

For the Surface device, whose ELAN fingerprint sensor had no SDCP protection, used cleartext USB communication, and had no authentication, they spoofed the fingerprint sensor after disconnecting the Type Cover containing the sensor and sent valid login responses from the spoofed device.

"Microsoft did a good job designing SDCP to provide a secure channel between the host and biometric devices, but unfortunately device manufacturers seem to misunderstand some of the objectives," the researchers said.

Cyberattack on IT provider CTS impacts dozens of U...
Welltok data breach exposes data of 8.5 million US...

Related Posts

 

Comments

No comments made yet. Be the first to submit a comment
Monday, 23 December 2024

Captcha Image

Top Breaches Of 2023

Customers Affected In T-Mobile Breach
Accounts Affected In MOVEit Breach
Customers Affected In MCNA Insurance Data Breach
Individuals Affected In PharMerica Data Breach
Users Affected In ChatGPT Major Data Breach
*Founder Shield End of Year 2023