A new research has discovered several vulnerabilities that can be exploited to bypass Windows Hello authentication on Dell Inspiron 15, Lenovo ThinkPad T14, and Microsoft Surface Pro X laptops.
The flaws were discovered by product and software security researchers and malware research firm Blackwing Intelligence, which found vulnerabilities in fingerprint sensors from Goodix, Synaptics, and ELAN embedded in the devices. .
A prerequisite for taking advantage of the fingerprint reader is that users of the targeted laptops have fingerprint authentication already set up.
All fingerprint sensors are a type of sensor called “match on chip” (MOC), which integrates matching and other biometric management functions directly into the sensor’s integrated circuit.
“While MoC prevents the replay of stored host fingerprint data for matching, it cannot, by itself, prevent a malicious sensor from spoofing a legitimate sensor’s host communication and falsely – claim that an authorized user has been successfully authenticated,” researchers Jesse D’ Aguanno and Timo Terás SAYS.
MoC also cannot prevent the replay of previously recorded traffic between host and sensor.
Although the Secure Device Connection Protocol (SDCP) developed by Microsoft aims to alleviate some of these problems by creating an end-to-end secure channel, researchers have discovered a novel method that can be used to circumvent these protections and attack in the middle (AitM).
Specifically, the ELAN sensor was found to be vulnerable to a combination of sensor spoofing stemming from a lack of SDCP support and clear text transmission of security identifiers (SIDs), thereby allowing any USB device to masquerade as a fingerprint sensor and claim that an authorized user is logged in.
In the case of Synaptics, not only was SDCP discovered to be off by default, the implementation chose to rely on an incorrect custom Transport Layer Security (TLS) stack to secure USB communications between host driver and sensor that can be a weapon to evade biometric authentication.
Exploiting the Goodix sensor, on the other hand, takes advantage of a fundamental difference in the enrollment operations performed on a full Windows and Linux machine, taking advantage of the fact that the latter does not support SDCP to perform the following actions –
- Booting into Linux
- List valid IDs
- Enroll the attacker’s fingerprint using the same ID as a legitimate Windows user
- MitM is the connection between host and sensor by using cleartext USB communication
- Boot into Windows
- Intercept and rewrite the configuration packet to point to the Linux DB using our MitM
- Login as a legitimate user with the attacker’s print
It is worth pointing out that while the Goodix sensor has separate fingerprint template databases for Windows and non-Windows systems, the attack is possible due to the fact that the host driver sends a false configuration packet to the sensor to determine which database to use during the sensor. start
To minimize such attacks, it is recommended that original equipment manufacturers (OEM) implement SDCP and ensure that the implementation of the fingerprint sensor is audited by independent qualified experts.
This is not the first time that Windows Hello biometrics-based authentication has been successfully defeated. In July 2021, Microsoft issued patches for a medium-severity security flaw (CVE-2021-34466, CVSS score: 6.1) that could allow an adversary to Deception of a target’s face and around the login screen.
“Microsoft did a good job designing SDCP to provide a secure path between the host and biometric devices, but unfortunately device manufacturers seem to have misunderstood some of the goals,” the researchers said.
“Furthermore, SDCP only covers a very narrow scope of a typical device operation, while most devices have a large attack surface exposed that is not covered by SDCP at all. “