Fingerprint authentication is surprisingly easy to bypass - researchers find critical vulnerabilities in Windows Hello

News
By published

Hackers crack top 3 Windows fingerprint access laptops

Representational image depecting cybersecurity protection
(Image credit: Shutterstock)

The fingerprint-enabled security systems on many top business laptops around today may not be as ironclad as first thought, new research has claimed.

The Microsoft Offensive Research and Security Engineering (MORSE) recently handed over a set research targets to Blackwing Intelligence, tasking it to crack their security.

The research targets were three Windows laptops with the top three fingerprint sensors on the market, used to identify and grant access to users through Windows Hello. Not only did the firm manage to crack all three laptops, they did so in some surprising and intuitive ways.

Windows Hello flaws

Blackwing Intelligence was given three laptops; a Dell Inspiron 15; a Lenovo ThinkPad T14; and a Microsoft Surface Pro Type Cover with Fingerprint ID.

In the three months Blackwing had, the firm managed to crack all three laptops using a variety of increasingly inventive methods, before reporting the vulnerabilities back to MORSE.

The Inspiron 15 was identified as the particularly vulnerable target due to a number of factors including poor coding quality, clear text communication, and good USB and Linux support.

By using a Raspberry Pi 4 (RP4) as a man-in-the-middle (MitM) device, they found they were able to disconnect the fingerprint sensor and then use the RP4 to enumerate fingerprints in the Windows database, enrol their own fingerprints into a Linux database (listing them as a valid Windows user in the process), and then divert the fingerprint sensor to the Linux database which then pulled the authenticated fingerprint and granted access.

In its blog, BlackWing concluded that, "Biometric authentication can be super useful to allow users to conveniently log in.

"Microsoft did a good job designing Secure Device Connection Protocol (SDCP) to provide a secure channel between the host and biometric devices, but unfortunately device manufacturers seem to misunderstand some of the objectives," it noted.

"Additionally, SDCP only covers a very narrow scope of a typical device’s operation, while most devices have a sizable attack surface exposed that is not covered by SDCP at all.

"Finally, we found that SDCP wasn’t even enabled on two out of three of the devices we targeted."

More from TechRadar Pro

Benedict Collins
Benedict Collins
Staff Writer (Security)

Benedict has been writing about security issues for over 7 years, first focusing on geopolitics and international relations while at the University of Buckingham. During this time he studied BA Politics with Journalism, for which he received a second-class honours (upper division), then continuing his studies at a postgraduate level, achieving a distinction in MA Security, Intelligence and Diplomacy. Upon joining TechRadar Pro as a Staff Writer, Benedict transitioned his focus towards cybersecurity, exploring state-sponsored threat actors, malware, social engineering, and national security. Benedict is also an expert on B2B security products, including firewalls, antivirus, endpoint security, and password management.

Read more
Hand holding smartphone and scan fingerprint biometric identity for unlock her mobile phone
Passwordless authentication continues to grow, with biometrics helping push adoption
Frustrated unhappy laptop user girl touching head at work table with computer
Five essential tips for keeping your new PC secure
Person using finger print authentication
Passwords out, passkeys in: The future of secure authentication
password manager
I'm a security expert - here are my biggest tips for creating a secure password for work and home life to stay safe online
Hands typing on a keyboard surrounded by security icons
Outdated ID verification myths put businesses at risk
An abstract image of a lock against a digital background, denoting cybersecurity.
Building a resilient workforce security strategy
Latest in Pro
cybersecurity
What's the right type of web hosting for me?
Security padlock and circuit board to protect data
Trust in digital services around the world sees a massive drop as security worries continue
Hacker silhouette working on a laptop with North Korean flag on the background
North Korea unveils new military unit targeting AI attacks
An image of network security icons for a network encircling a digital blue earth.
US government warns agencies to make sure their backups are safe from NAKIVO security issue
Laptop computer displaying logo of WordPress, a free and open-source content management system (CMS)
This top WordPress plugin could be hiding a worrying security flaw, so be on your guard
construction
Building in the digital age: why construction’s future depends on scaling jobsite intelligence
Latest in News
Quordle on a smartphone held in a hand
Quordle hints and answers for Sunday, March 23 (game #1154)
NYT Strands homescreen on a mobile phone screen, on a light blue background
NYT Strands hints and answers for Sunday, March 23 (game #385)
NYT Connections homescreen on a phone, on a purple background
NYT Connections hints and answers for Sunday, March 23 (game #651)
Google Pixel 9 Pro Fold main display opened
Apple is rumored to be prioritizing battery life on the foldable iPhone – which could also feature a liquid metal hinge for added durability
Google Pixel 9
The Google Pixel 10 just showed up in Android code – and may come with a useful speed boost
L-mount alliance
Sirui joins L-Mount Alliance to deliver its superb budget lenses for Leica, DJI, Sigma and Panasonic cameras
More about pro
HP Fury G1i 18"

'2-inches gets you 30% more screen': HP is pitching 18-inch laptop as the best new thing in tech
Framework Desktop

Framework's Desktop is selling like hot cakes; Ryzen Max+ 395, Max 383 batches are sold out with next shipment in Q3
Anycubic foldable portable 3D printer

Anycubic may launch this gorgeous foldable portable 3D printer any day soon, and I can't wait to try it out
See more latest
Most Popular
Anycubic foldable portable 3D printer
Anycubic may launch this gorgeous foldable portable 3D printer any day soon, and I can't wait to try it out
HP Fury G1i 18"
'2-inches gets you 30% more screen': HP is pitching 18-inch laptop as the best new thing in tech
Framework Desktop
Framework's Desktop is selling like hot cakes; Ryzen Max+ 395, Max 383 batches are sold out with next shipment in Q3
Quordle on a smartphone held in a hand
Quordle hints and answers for Sunday, March 23 (game #1154)
NYT Connections homescreen on a phone, on a purple background
NYT Connections hints and answers for Sunday, March 23 (game #651)
NYT Strands homescreen on a mobile phone screen, on a light blue background
NYT Strands hints and answers for Sunday, March 23 (game #385)
Google Pixel 9 Pro Fold main display opened
Apple is rumored to be prioritizing battery life on the foldable iPhone – which could also feature a liquid metal hinge for added durability
A person using a smartphone with an ecommerce website showing on a laptop.
Consumers are warming up to AI assistants, survey finds - 1/3 of us would allow AI to make purchases
A bloodied Mark staring at an off-screen Helly as Gemma screams at him from behind an exit door in Severance season 2 episode 10
Severance season 3: everything we know so far about the wildly popular Apple TV+ show's next chapter
Nvidia DGX Spark AI supercomputer
Project Digits is now DGX Spark: Nvidia raises its price by 33% as HPE, Dell jump on Petaflop mini AI bandwagon