New Flaws in Fingerprint Sensors Let Attackers Bypass Windows Hello Login

A new research has uncovered multiple vulnerabilities that could be exploited to bypass Windows Hello authentication on Dell Inspiron 15, Lenovo ThinkPad T14, and Microsoft Surface Pro X laptops.

The flaws were discovered by researchers at hardware and software product security and offensive research firm Blackwing Intelligence, who found the weaknesses in the fingerprint sensors from Goodix, Synaptics, and ELAN that are embedded into the devices.

A prerequisite for fingerprint reader exploits is that the users of the targeted laptops have fingerprint authentication already set up.

All the fingerprint sensors are a type of sensor called “match on chip” (MoC), which integrates the matching and other biometric management functions directly into the sensor’s integrated circuit.

“While MoC prevents replaying stored fingerprint data to the host for matching, it does not, in itself, prevent a malicious sensor from spoofing a legitimate sensor’s communication with the host and falsely claiming that an authorized user has successfully authenticated,” researchers Jesse D’Aguanno and Timo Teräs said.

The MoC also does not prevent replay of previously recorded traffic between the host and sensor.

Although the Secure Device Connection Protocol (SDCP) created by Microsoft aims to alleviate some of these problems by creating an end-to-end secure channel, the researchers uncovered a novel method that could be used to circumvent these protections and stage adversary-in-the-middle (AitM) attacks.

Specifically, the ELAN sensor was found to be vulnerable to a combination of sensor spoofing stemming from the lack of SDCP support and cleartext transmission of security identifiers (SIDs), thereby allowing any USB device to masquerade as the fingerprint sensor and claim that an authorized user is logging in.

In the case of Synaptics, not only was SDCP discovered to be turned off by default, the implementation chose to rely on a flawed custom Transport Layer Security (TLS) stack to secure USB communications between the host driver and sensor that could be weaponized to sidestep biometric authentication.

The exploitation of Goodix sensor, on the other hand, capitalizes on a fundamental difference in enrollment operations carried out on a machine that’s loaded with both Windows and Linux, taking advantage of the fact that the latter does not support SDCP to perform the following actions –

• Boot to Linux
• Enumerate valid IDs
• Enroll attacker’s fingerprint using the same ID as a legitimate Windows user
• MitM the connection between the host and sensor by leveraging the cleartext USB communication
• Boot to Windows
• Intercept and rewrite the configuration packet to point to the Linux DB using our MitM
• Login as the legitimate user with attacker’s print

It’s worth pointing out that while the Goodix sensor has separate fingerprint template databases for Windows and non-Windows systems, the attack is possible owing to the fact that the host driver sends an unauthenticated configuration packet to the sensor to specify what database to use during sensor initialization.

To mitigate such attacks, it’s recommended that original equipment manufacturers (OEMs) enable SDCP and ensure that the fingerprint sensor implementation is audited by independent qualified experts.

This isn’t the first time that Windows Hello biometrics-based authentication has been successfully defeated. In July 2021, Microsoft issued patches for a medium-severity security flaw (CVE-2021-34466, CVSS score: 6.1) that could permit an adversary to spoof a target’s face and get around the login screen.

“Microsoft did a good job designing SDCP to provide a secure channel between the host and biometric devices, but unfortunately device manufacturers seem to misunderstand some of the objectives,” the researchers said.

“Additionally, SDCP only covers a very narrow scope of a typical device’s operation, while most devices have a sizable attack surface exposed that is not covered by SDCP at all.”