Your laptop’s fingerprint sensor is convenient, but is it secure? Researchers at Blackwing Intelligence have bypassed the Windows Hello fingerprint system on laptops from Dell, Lenovo, and Microsoft. Manufacturers should address this problem by following strict and consistent security practices, per Blackwing Intelligence.
Microsoft asked Blackwing Intelligence to investigate Windows Hello’s fingerprint system ahead of the October 2023 BlueHat conference. Blackwing Intelligence had just three months to perform its research, so it honed in on three laptops—the Dell Inspiron 15, Lenovo ThinkPad T14, and Microsoft Surface Pro X. These laptops were chosen because they contain the three most popular embedded fingerprint sensors (from Goodix, Synaptics, and ELAN, respectively).
Unique vulnerabilities were discovered in each laptop’s Windows Hello fingerprint system. The Blackwing Intelligence team used a custom USB device to exploit these vulnerabilities and bypass fingerprint login. Technically speaking, Microsoft’s Secure Device Connection Protocol (SDCP) should protect laptops from such an attack. But SDHP is not utilized by the fingerprint reader in the Thinkpad T13 or Surface Pro X, and Blackwing Intelligence managed to work around the Inspiron 15’s SDCP system by rerouting the laptop’s fingerprint database to Linux.
Oddly, the Surface Pro X proved to be the easiest victim. This 2-in-1 laptop should have posed a unique challenge. After all, it’s made by Microsoft and runs the niche Windows on ARM operating system. But, as Blackwing Intelligence explains, any USB device can claim to be the Surface Pro X’s fingerprint sensor (by spoofing its VID/PID). The only real hurdle presented by the Surface Pro X is a “how many fingerprints” check, which asks the removable keyboard how many fingerprints it has registered (presumably, this is to prevent two Surface Pro X users from mixing up their keyboards).
The good news is that these man-in-the-middle (MitM) attacks require physical access to a victim’s laptop. And, if you’re important enough to be the target of such an attack, you can protect yourself by disabling your laptop’s fingerprint login. But this research highlights an uncomfortable fact—Windows laptop manufacturers, including Microsoft, are not following consistent security practices.
Blackwing Intelligence asks all laptop and fingerprint sensor manufacturers to implement SDCP and hire third-party security auditors in the future. For additional information, please read Blackwing Intelligence’s “A Touch of Pwn” blog post or watch the firm’s BlueHat presentation.