A team of security researchers has revealed how they were able to break the Windows Hello fingerprint authentication system, which is used by millions of laptops.
The researchers, from Blackwing Intelligence, were hired by Microsoft's Offensive Research and Security Engineering (MORSE) to test the security of three popular fingerprint sensors embedded in laptops from Dell, Lenovo and Microsoft.
They found that the fingerprint sensors, made by ELAN, Synaptics and Goodix, had several vulnerabilities in their software and hardware design, including weak encryption, proprietary protocols and poor verification.
By reverse engineering the software and hardware of the sensors, the researchers were able to extract the fingerprint images, spoof them and bypass the Windows Hello authentication process.
The researchers tested three laptops from different brands that use Match-on-Chip (MoC) technology for their fingerprint sensors. MoC is supposed to make fingerprint authentication more secure by performing the matching process on the sensor's own processor, rather than on the laptop's main CPU. Microsoft also developed a protocol called Secure Device Connection Protocol (SDCP) to protect the communication between the sensor and the laptop's OS.
However, the researchers found a way to bypass both MoC and SDCP using a simple device called a Raspberry Pi 4. They connected the Raspberry Pi 4 to the laptop's USB port and intercepted the data sent by the sensor. Then, they modified the data to trick the laptop into thinking that the user's fingerprint was valid. This way, they could unlock the laptop without touching the sensor.
The researchers blamed the device manufacturers for not implementing SDCP correctly. They said that Microsoft designed SDCP well, but the manufacturers did not follow its specifications. They also suggested some ways to improve the security of fingerprint sensors, such as adding encryption and authentication to the data transmission.
According to the researchers, SDCP is only a subcomponent of what should be examined for defensive purposes. “Additionally, SDCP only covers a very narrow scope of a typical device’s operation, while most devices have a sizable attack surface exposed that is not covered by SDCP at all. Finally, we found that SDCP wasn’t even enabled on two out of three of the devices we targeted.” Blackwing Intelligence recommended that manufacturers immediately double-check their implementations to ensure SDCP is enabled on their devices. Organizations which may have purchased products for which the issues described above are of impact should examine options to use alternative authentication paths.
Cybersecurity is a crucial aspect of any business, especially in the digital age. However, not all security products are created equal, and choosing the wrong one can have serious consequences for your organization. That's why it's important to make wise security product choices that suit your specific needs and goals.
But how do you know which security products are best for you? How do you compare different vendors and features? How do you ensure that you get the best value for your money and the best protection for your data?
That's where a consulting Chief Information Security Officer (CISO) from Webcheck Security can help. A consulting CISO (also known as a fractional CISO, FISO, or vCISO) is a certified and experienced security professional who can provide you with unbiased and expert advice on how to select, implement, and manage the best security products for your business. A consulting CISO can also help you with other aspects of cybersecurity, such as risk assessment, compliance, training, and incident response.
By hiring a consulting CISO from Webcheck Security, you can benefit from:
A customized and comprehensive security strategy that aligns with your business objectives and budget
A thorough evaluation of your current security posture and gaps
A curated list of the best security products for your specific needs and industry
A smooth and seamless integration of the selected security products into your existing infrastructure
A continuous monitoring and optimization of your security performance and ROI
A peace of mind knowing that your data and assets are protected by the latest and most effective security solutions
Don't wait until it's too late. Contact us today to find out how a consulting CISO from Webcheck Security can help you make wise security product choices and boost your cybersecurity.