A security group hired by Microsoft to test its Windows Hello fingerprint authentication hardware and software has posted word they were able to bypass that technology on a number of laptops, including a Microsoft Surface product.
The Blackwing Intelligence group revealed their findings in October as part of Microsoft's BlueHat security conference but only posted their results on their own site this week (via The Verge). The blog post, which has the catchy title "A Touch of Pwn", stated the group used the fingerprint sensors inside the Dell Inspiron 15 and the Lenovo ThinkPad T14 laptops, along with the Microsoft Surface Pro Type Cover with Fingerprint ID made for the Surface Pro 8 and X tablets. The specific fingerprint sensors were made by Goodix, Synaptics, and ELAN.
All of the Windows Hello-supported fingerprint sensors that were tested used “match on chip” hardware, which means that the authentication is handled on the sensor itself which has its own microprocessor and storage. Blackwing stated:
A database of “fingerprint templates” (the biometric data obtained by the fingerprint sensor) is stored on-chip, and enrollment and matching is performed directly within the chip. Since fingerprint templates never leave the chip, this eliminates privacy concerns of biometric material being stored, and potentially exfiltrated, from the host — even if the host is compromised. This approach also prevents attacks that involve simply sending images of valid fingerprints to the host for matching.
Blackwing used reverse engineering to find flaws in the fingerprint sensors and then created their own USB device that could perform a man-in-the-middle (MitM) attack. This device allowed them to bypass the fingerprint authentication hardware in those devices.
The blog also pointed out that while Microsoft uses the Secure Device Connection Protocol (SDCP) "to provide a secure channel between the host and biometric devices" two of the three fingerprint sensors that were tested didn't even have SDCP enabled. Blackwell recommended that all fingerprint sensor companies not only enable SDCP on their products but also get a third-party company to make sure it works.
It should be pointed out that bypassing these fingerprint hardware products took "approximately three months" of work by Blackwing, with a lot of effort, but the point is they were successful. It remains to be seen if Microsoft, or the fingerprint sensor companies, can use this research to fix these issues.
12 Comments - Add comment