Security researchers bypass Windows Hello fingerprint authentication

Security researchers at Blackwing Intelligence managed to bypass Windows Hello fingerprint authentication on devices with the three most used fingerprint sensors on Windows.

The researchers were asked by Microsoft's Offensive Research and Security Engineering to evaluate different fingerprinting sensors that could be used to authenticate using Windows Hello.

The three target laptops were the Dell Inspiron 15, the Lenovo ThinkPad T14 and the Microsoft Surface Pro Type Cover with Fingerprint ID.

The report begins with the fundamentals. The researchers explain how current generation fingerprint sensors work. All fingerprint sensors were MoC sensors, which means Match on Chip. The sensors use integrated microprocessors to perform the verification of authentication requests. Windows Hello requires fingerprint sensors to support MoC.

Two potential attack vectors against MoCs are the spoofing of communication and the replaying of previous recorded traffic that authenticates requests.

Microsoft was aware of these shortcomings when it created Windows Hello and created the Secure Device Connection Protocol (SDCP) to overcome these. Basically, what this does is make sure that the fingerprint device is trusted and untampered, and protect the communication between the fingerprint device and the host system.

Details on each of the attacks is provided afterwards. The first target was the Dell Inspiron 15 laptop. The used sensor, by Goodix, supports Windows Hello, SDCP and is also supported on Linux.

The Linux version provided the researchers with clues on the implementation and the bypass. On Windows, the SDCP spec enrolment process is followed. This is not the case on Linux, however. The main difference is that on Windows, an ID is generated as a "MAC operation on the host and validated on the sensor". This prevents the use of arbitrary IDs. On Linux, the host driver generates the ID and sends it to the sensor for storage.

The researchers discovered, after some trial and error that it is possible to use the Linux template database (and thus ID) for authentication. It required a man in the middle attack to rewrite config packets, but it got them in to the device in the end.

The second device, the Lenovo Thinkpad T14, required a different approach. The researchers discovered that SDCP was disabled on the chip, even though it was supported. The Synaptic sensor used a custom TLS stack for secure communication between host and sensor.

With that figured out, the plan to attack TLS directly was formed. They could negotiate with TLS already and read client certificate and key data. The data is encrypted and after some digging, the researches found out that the encryption key is derived from the machine's product name and serial number.

With that figured out, engineers created an attack that allowed them to read and decrypt the encrypted data, negotiate a TLS session with the sensor, enumerate valid fingerprint template IDS, spoof the valid IDs to boot into Windows using the fake fingerprint.

The final device, the Microsoft Surface Pro used a chip by ELAN. The researches were surprised to find out that it did not use SDCP, used cleartext USB communication and no authentication. This sensor was the easiest to bypass because of the lack of security.

Closing Words

All three fingerprint sensors were bypassed in the test to allow attackers to sign-in as any user on the system. Most Windows users may want to avoid using fingerprint authentication on Windows laptops for the time being until these issues are sorted out.

Now You: how do you sign-in to Windows?

Advertisement