Fingerprint authentication is surprisingly easy to bypass - researchers find critical vulnerabilities in Windows Hello

Representational image depecting cybersecurity protection
(Image credit: Shutterstock)

The fingerprint-enabled security systems on many top business laptops around today may not be as ironclad as first thought, new research has claimed.

The Microsoft Offensive Research and Security Engineering (MORSE) recently handed over a set research targets to Blackwing Intelligence, tasking it to crack their security.

The research targets were three Windows laptops with the top three fingerprint sensors on the market, used to identify and grant access to users through Windows Hello. Not only did the firm manage to crack all three laptops, they did so in some surprising and intuitive ways.

Windows Hello flaws

Blackwing Intelligence was given three laptops; a Dell Inspiron 15; a Lenovo ThinkPad T14; and a Microsoft Surface Pro Type Cover with Fingerprint ID.

In the three months Blackwing had, the firm managed to crack all three laptops using a variety of increasingly inventive methods, before reporting the vulnerabilities back to MORSE.

The Inspiron 15 was identified as the particularly vulnerable target due to a number of factors including poor coding quality, clear text communication, and good USB and Linux support.

By using a Raspberry Pi 4 (RP4) as a man-in-the-middle (MitM) device, they found they were able to disconnect the fingerprint sensor and then use the RP4 to enumerate fingerprints in the Windows database, enrol their own fingerprints into a Linux database (listing them as a valid Windows user in the process), and then divert the fingerprint sensor to the Linux database which then pulled the authenticated fingerprint and granted access.

In its blog, BlackWing concluded that, "Biometric authentication can be super useful to allow users to conveniently log in.

"Microsoft did a good job designing Secure Device Connection Protocol (SDCP) to provide a secure channel between the host and biometric devices, but unfortunately device manufacturers seem to misunderstand some of the objectives," it noted.

"Additionally, SDCP only covers a very narrow scope of a typical device’s operation, while most devices have a sizable attack surface exposed that is not covered by SDCP at all.

"Finally, we found that SDCP wasn’t even enabled on two out of three of the devices we targeted."

More from TechRadar Pro

Benedict Collins
Staff Writer (Security)

Benedict Collins is a Staff Writer at TechRadar Pro covering privacy and security. Before settling into journalism he worked as a Livestream Production Manager, covering games in the National Ice Hockey League for 5 years and contributing heavily to the advancement of livestreaming within the league. Benedict is mainly focused on security issues such as phishing, malware, and cyber criminal activity, but he also likes to draw on his knowledge of geopolitics and international relations to understand the motives and consequences of state-sponsored cyber attacks.

He has a MA in Security, Intelligence and Diplomacy, alongside a BA in Politics with Journalism, both from the University of Buckingham. His masters dissertation, titled 'Arms sales as a foreign policy tool,' argues that the export of weapon systems has been an integral part of the diplomatic toolkit used by the US, Russia and China since 1945. Benedict has also written about NATO's role in the era of hybrid warfare, the influence of interest groups on US foreign policy, and how reputational insecurity can contribute to the misuse of intelligence.

Outside of work Ben follows many sports; most notably ice hockey and rugby. When not running or climbing, Ben can most often be found deep in the shrubbery of a pub garden.