Windows Hello did not protect: researchers managed to bypass popular fingerprint scanners in laptops

Microsoft’s Windows Hello fingerprint authentication system was compromised on laptops from Dell, Lenovo, and Microsoft itself. Security researchers at Blackwing Intelligence have discovered vulnerabilities in three of the most popular fingerprint sensors commonly used for security in Windows Hello laptops.

The study, presented at Microsoft’s BlueHat conference in October, focused on fingerprint sensors from Goodix, Synaptics, and ELAN. Researchers have created a USB device capable of performing a Man in the middle (MitM) attack, potentially allowing unauthorized access to a stolen laptop or facilitating an attack on an unattended device.

The vulnerability was successfully exploited on Dell Inspiron 15, Lenovo ThinkPad T14, and Microsoft Surface Pro X. The researchers bypassed Windows Hello security on these devices by reverse engineering both the software and hardware and identifying cryptographic flaws in Synaptics’ proprietary TLS sensor. The process involved decoding and reimplementing proprietary protocols.

Fingerprint sensors are becoming increasingly popular among Windows laptop users, driven by Microsoft’s desire to popularize Windows Hello and a password-free future. However, this is not the first time that Windows Hello biometric authentication has failed to provide the required level of security. In 2021, Microsoft patched a vulnerability that allowed Windows Hello facial recognition to be bypassed by using the victim’s infrared image.

The researchers noted that Microsoft’s Secure Device Connection Protocol (SDCP) was not enabled on two of the three targeted devices. They recommend that OEMs enable SDCP and have their fingerprint sensor implementations audited by qualified experts. Blackwing Intelligence also investigates attacks on sensor firmware and fingerprint sensor security on Linux, Android, and Apple devices.