In a shocking development, cybersecurity researchers at Blackwing Intelligence have discovered critical vulnerabilities that can render Windows Hello useless as an authentication tool on popular laptops like Microsoft Surface Pro X, Lenovo ThinkPad T14, and Dell Inspiron 15.
The vulnerability was discovered by researchers Timo Teräs and Jesse D’Aguanno.
These flaws are present in fingerprint sensors manufactured by reputed brands like ELAN, Synaptics, and Goodix.
The security loopholes can potentially enable malicious players to bypass security measures which raises serious concerns about the protection of user data on thousands of devices.
The compromised fingerprint sensors are backed by the MoC (match-on-chip) technology. This technology integrates biometric functions directly into the circuit of the fingerprint sensor.
Although the technology has been designed to prevent stored fingerprint data from being replayed, it is not immune to malicious sensors that falsely claim successful user authentication.
What Led To The Vulnerability In The Fingerprint Sensor?
Microsoft created an SDCP (Secure Device Connection Protocol) to mitigate vulnerabilities by establishing a secure end-to-end channel. However, the researchers found that malicious players can bypass these defense mechanisms through a novel method and launch adversary-in-the-middle (AitM) attacks.
The ELAN sensor, lacking SDCP support, was identified as susceptible to sensor spoofing and clear-text transmission of security identifiers (SIDs).
This allows any USB device to impersonate the fingerprint sensor, which falsely authenticates the user’s login. In the default settings of Synaptics, SDCP was turned off, and the custom Transport Layer Security (TLS) stack in this system was flawed. Miscreants can take advantage of this security loophole to bypass biometric authentication.
On the other hand, the Goodix sensor enables attackers to take advantage of the absence of SDCP support in Linux. There are some differences in enrolment operations between Linux and Windows.
This attack involves multiple steps, where the attackers boot the system to Linux, register their fingerprints, and manipulate the connection between the sensor and the host. Eventually, the attacker logs into the system as a legitimate user.
This Is What Researchers Recommend To Mitigate Risks
Researchers recommend laptop users stick to using equipment manufacturers (OEMs) so that they enable SDCP and carry out independent audits of fingerprint sensors.
However, the discovery of the vulnerabilities comes as a blow to Windows Hello biometrics-based authentication. Back in July 2021, Microsoft had to fix security issues where adversaries could spoof the face of a target and bypass the login screen.
Researchers have also acknowledged that Microsoft has designed SDCP for a secure channel between hosts and biometric devices. However, they didn’t hesitate to point out the apparent discrepancies in the goals of device manufacturers.
Besides, they stress that SDCP only has a limited scope in controlling the operation of a device. This exposes them to significant vulnerabilities that call for attention.
Users need to cultivate vigilance, while OEMs come under pressure to fix the security loopholes. This development poses yet another challenge for the tech industry, where they need to strike the right balance between security and convenience.
