Hackers Exploit Fingerprint Sensor Vulnerabilities to Bypass Windows Hello
Blackwing Intelligence has unearthed several vulnerabilities that enable circumvention of the Windows Hello authentication system on Dell Inspiron 15, Lenovo ThinkPad T14, and Microsoft Surface Pro X laptops. These security loopholes are attributable to fingerprint sensors from Goodix, Synaptics, and ELAN, which are integrated into these devices.
Each of the three fingerprint sensor types operates on a ‘match on chip’ (MoC) principle, embedding the matching functions and other biometric controls directly into the sensor’s circuitry. This means that all fingerprint data is processed and stored within the sensor itself, rather than being transmitted to an external processor or storage.
However, the MoC system does not thwart ‘Adversary-in-The-Middle‘ (AitM) attacks, thereby allowing a malefactor to simulate legitimate sensor-to-host communication and falsely claim successful authentication of an authorized user.
A prerequisite for employing the fingerprint reader is that users of the targeted laptops must have already configured fingerprint authentication.
Blackwing Intelligence discovered that the ELAN sensor is vulnerable due to its lack of support for Microsoft’s Secure Device Connection Protocol (SDCP) and its transmission of security identifiers in plain text, enabling any USB device to impersonate a fingerprint sensor.
In the case of Synaptics, the issue lies in the fact that SDCP is disabled by default, and a vulnerable custom TLS stack is used to protect the USB connections between the host driver and the sensor, which can be exploited to bypass biometric authentication.
To exploit the Goodix sensor’s vulnerability, a cybercriminal could leverage the discrepancies in fingerprint registration processes between Windows and Linux (Linux does not support SDCP). This allows the recording of the attacker’s fingerprint in the Linux database, subsequently using it to access the Windows system as a legitimate user.
It’s noteworthy that, although the Goodix sensor maintains separate fingerprint template databases for Windows and non-Windows systems, the attack is feasible because the host driver sends an unauthenticated configuration packet to the sensor, indicating which database to use during sensor initialization.
Manufacturers are advised to incorporate SDCP and ensure an audit of fingerprint sensor implementations by independent experts. This is not the first instance of successful bypassing of Windows Hello’s biometric authentication. In July 2021, Microsoft issued patches for vulnerability CVE-2021-34466 (CVSS: 6.1), which enabled circumventing the authentication system using an infrared image.
