Microsoft’s biometric identification system, Windows Hello, can now be bypassed by hackers. In fact, researchers have discovered several security flaws in the fingerprint sensors used by most PC manufacturers with Windows.
Windows Hello is not as secure as expected… due to flaws discovered in fingerprint readers // Source: Sunrise King on Unsplash
Identifying yourself by reading a fingerprint on a Windows computer ends up being a lot more insecure than it should be. Security researchers from the company Blackwing Intelligence have actually discovered several critical vulnerabilities in the fingerprint sensors used by most of Microsoft’s partners that use the Windows Hello biometric identification system on their computers. A device whose reputation is partly tarnished because it can be bypassed by potential hackers thanks to the vulnerabilities identified by Blackwing researchers.
Interestingly, these vulnerabilities were discovered after Microsoft’s technology and security division hired Blackwing Intelligence to test its Windows Hello device, BFMTV reports. The researchers then tested the main fingerprint sensors on the market, which proved to be a weak link in a system that was supposed to be tamper-proof.
Fingerprint sensor manufacturers highlighted
The sensors examined included those from Goodix, Synaptics and ELAN. Sensors widely available on the market, used by Dell, Lenovo and even Microsoft itself for its Surface products, among others. To lure them into the trap, Blackwing specialists used a USB flash drive that was configured to bypass the identification system. How ? They rely on a type of attack that is nicknamed the “man in the middle”. In short: “Intercepting the sending of information between two points in order to change it without the sender or receiver noticing,” summarizes BFM. You can then use this method to unlock the target computer without confronting Windows Hello.
Blackwing’s conclusions are also worrying. You are not questioning Microsoft’s work, but rather the fingerprint sensor manufacturers’ own understanding of the issue. A worrying prospect.
“Microsoft has done a good job developing the Secure Device Connection Protocol (SDCP) to provide a secure channel between the host and biometric devices, but unfortunately device manufacturers seem to misunderstand some of the goals,” Blackwing researchers explain.
Against this background, it could be difficult for the Redmond giant to solve the problem. However, the solution could be to set up an audit to ensure that manufacturers are installing biometric devices correctly to avoid creating errors during the manufacturing and sensor implementation processes.
Would you like to join a community of enthusiasts? Our Discord welcomes you, it is a place of mutual help and passion about technology.