A security team hired by Microsoft to test Windows Hello fingerprint authentication hardware and software said it was able to bypass the technology on some laptops, including the Microsoft Surface.
According to Neowin, the Blackwell Intelligence team revealed their findings last October as part of Microsoft’s BlueHat security conference, but they only posted the results on their own website this week. The blog post titled “A Touch of Pwn” said the team used fingerprint sensors inside Dell Inspiron 15 and Lenovo ThinkPad T14 laptops, and a Microsoft Surface Pro Type Cover with fingerprint ID made for Surface Pro 8 and X. Specific fingerprint sensors are manufactured by Goodix, Synaptics, and ELAN.
enabled fingerprint sensors All of the Windows Hello-tested uses chip-based hardware, meaning authentication is handled on the sensor itself, which has its own chip and storage.
In its statement, Blackwell said the database of “fingerprint templates” (biometric data captured by the fingerprint sensor) is stored on the chip, and registration and matching are done directly on the chip. Because fingerprint patterns never leave the chip, this eliminates privacy concerns as biometric data is stored securely. This also prevents attacks that involve sending valid fingerprint images to a server for comparison.
Even so, Blackwell still bypassed the system after using reverse engineering to find a vulnerability in the fingerprint sensor, then creating its own USB device to help carry out a man-in-the-middle (MitM) attack. This device allows the team to bypass the fingerprint authentication hardware in those devices.
According to Blackwell, although Microsoft uses secure device communication protocol (SDCP) to provide a secure channel between the server and the biometric device, two of the three fingerprint sensors were even tested. Do not enable SDCP. Blackwell recommends that all fingerprint sensor companies not only enable SDCP on their products but also have a third-party company ensure it works.
One thing to note is that it took Blackwell several attempts over about 3 months to surpass these fingerprint hardware products. It’s unclear how Microsoft and fingerprint sensor companies will fix the problem based on this research.