A team of researchers has managed to circumvent the security protocols of the Windows Hello feature, designed for logging into Windows-operated computers, spanning brands like Dell, Lenovo, and even Microsoft itself.
Black Wing Intelligence Security Company reported that its researchers uncovered multiple security vulnerabilities within the fingerprint login system utilized by Windows computers, relying on fingerprint sensors from major companies such as Goodix, Synaptics, and Elan. This revelation took place during an interactive presentation by the company at the Microsoft BlueHat 2023 cybersecurity conference.
The report underscored the significance of this newfound vulnerability, emphasizing its broad impact due to the widespread adoption of fingerprint sensors in personal computers commonly used by businesses.
This discovery unfolded against the backdrop of a collaboration between Microsoft’s MORSE division for offensive research and security engineering and Black Wing Intelligence, aimed at evaluating the security efficacy provided by fingerprint sensors.
The research team from Black Wing Intelligence devised a USB key with the capability to execute a “Man-in-the-Middle” electronic attack on the computers of unsuspecting victims, simplifying unauthorized access to stolen computers or privacy breaches when the computer owner is absent.
The researchers targeted three computers: Dell Inspiron 15, Lenovo ThinkPad T14, and Microsoft Surface Pro X. Their innovative approach successfully bypassed Windows Hello and the integrated fingerprint sensor within the computers, as well as overcoming a standalone fingerprint reader.
In their investigation, the researchers delved into the reverse engineering of the software components within the “Windows Hello” system, alongside the physical components related to fingerprint reading. Additionally, they identified security flaws in the encryption methods applied to Synaptics’ fingerprint sensor data.
The detailed report by the researchers highlighted that the vulnerabilities traced back to shortcomings in the encryption processes employed by manufacturers of fingerprint reading devices, paving the way for hackers to target and compromise these devices. The researchers commended Microsoft’s developed protocol, the Secure Device Connection Protocol, for securing fingerprint data across Windows computers.
In 2020, Microsoft had announced that nearly 85% of Windows 10 computer users were utilizing facial or fingerprint recognition, eliminating the reliance on traditional passwords for computer login.
Bypassing the facial recognition feature on the “Windows Hello” system is not a novel occurrence. In 2021, researchers successfully manipulated the facial recognition system using an infrared-captured image of the victim’s face, enabling them to gain unauthorized access to the victim’s computer.
Leave a Reply