A team of security researchers has discovered vulnerabilities in the embedded fingerprint sensors used by Windows Hello, Microsoft’s biometric authentication system, enabling them to bypass the security measures on Dell Inspiron, Lenovo ThinkPad, and Microsoft Surface Pro X laptops.
Researchers breach Windows Hello fingerprint security
The researchers from Blackwing Intelligence were able to exploit weaknesses in the sensors made by ELAN, Synaptics, and Goodix, which are widely used in laptops and other devices.
By using a custom Linux-powered Raspberry Pi 4 device, the researchers were able to intercept and manipulate communication between the fingerprint sensor and the laptop, allowing them to spoof the sensor and successfully authenticate themselves as legitimate users.
The researchers’ findings highlight the need for manufacturers to ensure that biometric authentication systems are properly implemented and secured, as vulnerabilities in these systems can have serious consequences.
Microsoft has acknowledged the vulnerabilities and is working with manufacturers to address them. The company also recommends that users enable two-factor authentication as an additional layer of security.
In addition to enabling two-factor authentication, users can also take steps to protect their fingerprints, such as avoiding using the same fingerprint for multiple devices and storing fingerprint data in unencrypted environments.
Overall, the researchers’ findings underscore the importance of cybersecurity vigilance, as even widely used and trusted systems can be vulnerable to attack.
Additional key takeaways
- Match-on-chip (MoC) sensors, which are supposed to be more secure than traditional fingerprint sensors, can still be vulnerable to attacks.
- Secure Device Connection Protocol (SDCP), a protocol designed to protect communication between fingerprint sensors and laptops, was not enabled on two of the three laptops tested.
- Manufacturers need to take a more proactive approach to securing biometric authentication systems.
Users can help protect themselves by
- Enabling two-factor authentication.
- Avoid using the same fingerprint for multiple devices.
- Avoid storing fingerprint data in unencrypted environments.
- Being aware of the latest cybersecurity threats and vulnerabilities.
What does this mean for you?
This research is a reminder that even widely used and trusted systems can be vulnerable to attack. It is important to be aware of the latest cybersecurity threats and vulnerabilities and to take steps to protect yourself, such as enabling two-factor authentication and avoiding using the same fingerprint for multiple devices.
Meanwhile, if you want to read any other news, especially about Microsoft, make sure to check out our other article: Microsoft Copilot Studio will create, customize, and build copilots for you.
Featured image credit: Dell / Unsplash