Windows Hello Fingerprint Tech is Hacked


Security researchers have found a way to bypass the popular Windows Hello fingerprint authentication technology, after discovering multiple vulnerabilities.

Microsoft’s Offensive Research and Security Engineering (MORSE) asked Blackwing Intelligence to evaluate the security of the top three fingerprint sensors embedded in laptops.

The firm studied a Dell Inspiron 15, a Lenovo ThinkPad T14 and a Microsoft Surface Pro X, and more specifically fingerprint sensors made by ELAN, Synaptics and Goodix.

The Blackwing team then conducted “extensive reverse engineering” of software and hardware, during which they found cryptographic implementation flaws in a custom TLS, and deciphered and reimplemented proprietary protocols.

Read more on Windows Hello: #BHUSA: Windows Hello Passwordless Bypass Revealed

All three sensors featured Match-on-Chip (MoC) technology which is designed to provide extra security by ensuring fingerprint matching is done on the processor. Microsoft created the Secure Device Connection Protocol (SDCP) as an added layer of protection. The protocol is meant to prevent a compromised OS from authorizing use of user keys when the user is not present.

However, the researchers were able to completely bypass authentication on all three laptops using man-in-the-middle attacks carried out with a Raspberry Pi 4.

“Microsoft did a good job designing SDCP to provide a secure channel between the host and biometric devices, but unfortunately device manufacturers seem to misunderstand some of the objectives,” the researchers concluded.

“Additionally, SDCP only covers a very narrow scope of a typical device’s operation, while most devices have a sizable attack surface exposed that is not covered by SDCP at all. Finally, we found that SDCP wasn’t even enabled on two out of three of the devices we targeted.”

Blackwing Intelligence urged manufacturers to ensure SDCP is enabled on their devices, and that they reach out to a third-party auditor to check that the implementation is correct.

Image credit: Melnikov Dmitriy /

Products You May Like

Articles You May Like

Indiana County Files Disaster Declaration Following Ransomware Attack
‘Konfety’ Ad Fraud Uses 250+ Google Play Decoy Apps to Hide Malicious Twins
CISA Urges Software Makers to Eliminate OS Command Injection Vulnerabilities
5 common Ticketmaster scams: How fraudsters steal the show
Hackers Downloaded Call Logs from Cloud Platform in AT&T Breach

Leave a Reply

Your email address will not be published. Required fields are marked *