The biometric Windows Hello implementations of several laptop manufacturers contain vulnerabilities. Researchers at Blackwing Intelligence researched the laptops from Microsoft, Lenovo and Dell, among others.
Windows Hello is an authentication tool that allows users to log into their devices using a fingerprint or other biometric application. This eliminates the need for them to enter passwords, which should benefit security.
However, Blackwing Intelligence researchers discovered that several implementations of the authentication tool on laptops from different manufacturers have vulnerabilities. This allows hackers to still gain access to these devices by bypassing authentication via Windows Hello. The investigation was done in part at Microsoft’s own request.
Problem in SDCP protocol
More specifically, the vulnerabilities settle in the underlying Microsoft technology, the Secure Device Connection Protocol (SDCP). This allows a Windows PC or laptop to verify the security of a fingerprint before processing the log-in request. Many of the laptops require this technology for Windows Hello implementations to work.
When authenticating with a fingerprint, the scanner generates a signal that Windows Hello uses to determine whether to accept or reject the request. SDCP has mechanisms that prevent hackers from manipulating this signal. It also checks that the fingerprint scanner does not contain malware and is built in line with Microsoft security requirements.
However, the study shows that SDCP does not always provide sufficient security for the fingerprint scanner and is not always ‘on’. It also does not cover a whole range of other attack surfaces. This still allows hackers to physically access the tested devices.
Microsoft Surface X
On Microsoft’s own Surface X laptop tested, it was found that SDCP was not enabled, allowing hackers to easily replace the fingerprint scanner with their own manipulated scanner. Hackers could cheaply build such a scanner themselves, with, for example, a Raspberry Pi microcomputer.
Lenovo ThinkPad T14
The fingerprint scanner of the tested Lenovo ThinkPad T14 could also be manipulated, but it is already slightly more complicated than the Surface X laptop. This is because hackers must first have the encryption key of the TLC implementation. They can extrapolate this from the laptop’s product name and the corresponding serial number. These are easily found on the sticker on the back of the laptop in question.
Dell Inspiron 15
Finally, the Dell Inspiron 15 laptop tested did not prove to be secure. This laptop does have SDCP activated, but the implementation only works for Windows. The tool can be bypassed by configuring the laptop to boot with a Linux boot instead of a Windows boot. When Linux boots, hackers can tap the data generated by the fingerprint sensor when processing log-in requests.
They can then use this data to force Windows Hello to accept log-in requests that are otherwise modified.
Also read: 123456 most common password of 2023