Security researchers from Blackwing Intelligence managed to bypass Windows Hello fingerprint authentication on devices with the three most used fingerprint sensors in Windows.
The three target laptops were the Dell Inspiron 15, the Lenovo ThinkPad T14, and the Microsoft Surface Pro Type Cover with Fingerprint ID.
The report starts with the basics. Researchers explain how fingerprint sensors work. All fingerprint sensors were MoC sensors, which stands for Match on Chip. The sensors use embedded microprocessors to perform verification of authentication requests. Windows Hello requires fingerprint sensors that support MoC.
Two possible attacks against MoCs are communication spoofing and replay of previous recorded traffic that verifies requests.
Microsoft was reportedly aware of these weaknesses when it created Windows Hello and created it Secure Device Connection Protocol (SDCP from Secure Device Connection Protocol) for greater protection. Basically, what this protocol does is to make sure that the fingerprint device is trusted and to protect the communication between the fingerprint device and the host system.
The researchers provide more details about each of the attacks below. The first target was the laptop Dell Inspiron 15. The sensor used, from Goodix, supports Windows Hello, and SDCP is also supported on Linux systems.
The Linux version provided researchers with clues about the attack implementation and bypass. On Windows, an SDCP specification registration process is followed. However, this is not the case in Linux. The main difference is that on Windows, an identifier is generated as a “MAC function on the host and validated on the sensor”. This prevents the use of arbitrary identifiers. On Linux, the host driver generates the identifier and sends it to the sensor for storage.
The researchers discovered, after some botched testing, that it was possible to use the Linux standards database (and thus the identifier) for authentication. A man in the middle attack was needed to rewrite the configuration packages that the device will use.
The second device, the Lenovo Thinkpad T14, required a different approach. The researchers discovered that SDCP was disabled on the device's chip, even though it was supported. The Synaptic sensor used a custom TLS stack for secure communication between host and sensor.
So they designed a direct attack on TLS. They could already negotiate TLS and read the client certificate and key data. The data was encrypted but after a bit of digging, investigations found that the encryption key comes from the product name and serial number of the machine…. (security at its best)
So the researchers created an attack that allowed them to read and decrypt the encrypted data, negotiate the TLS session with the sensor, enumerate the valid fingerprint template IDs, and spoof the valid IDs using the fake fingerprint.
The last device, the Microsoft Surface Pro it uses an ELAN chip. The researchers were surprised to find that it was not using SDCP, but cleartext USB communication without authentication (!!!). This sensor was the easiest to bypass due to complete lack of security.
George is still wondering what he is doing here….
I like reasoning and I remember several past pathologies.
In this case, let's remember that MS until the 10s did not have antivirus support. Maybe he did it to avoid being accused of unfair competition and monopoly. I do not know. Much is said.
But from the 10's onwards, for the average daily computer user and "passer" of the internet, the defender does pretty well to very well. I repeat! For the average user. For those who want to read news, listen to something on youtube, let alone send an email.
In short, it took about 25 years to do something about online security.
So maybe she needs some (probably similar) time to modernize some more routines and protocols.
I don't know if it matters, but personally, when I'm messing around, I do it through win, and when I want something more or more important, I do it with live versions of Linux (on a stick).
So I don't need passwords and "secure" entrances.
Hyg. yes! it is paradoxical that she does not support her own children. Like the Surface. But it has done it again with the (non) support of windows mobiles.
In the end, maybe all these are nothing more than "grabbers" of the supranational MS to make a few billion dollars in extra profits.
So Microsoft with SDCP solved the problem, right? In the first case we have Linux, in the second disabled SDCP and in the third the absence of SDCP.
I don't know if Microsoft released Surface Pro first and then created SDCP but it's ridiculous on their own machine to offer zero security.