Microsoft's Windows Hello Fingerprint Authentication Has Been Bypassed

Microsoft's Windows Hello fingerprint authentication has been bypassed on laptops from Dell, Lenovo, and even Microsoft. From a report: Security researchers at Blackwing Intelligence have discovered multiple vulnerabilities in the top three fingerprint sensors that are embedded into laptops and used widely by businesses to secure laptops with Windows Hello fingerprint authentication. Microsoft's Offensive Research and Security Engineering (MORSE) asked Blackwing Intelligence to evaluate the security of fingerprint sensors, and the researchers provided their findings in a presentation at Microsoft's BlueHat conference in October.

The team identified popular fingerprint sensors from Goodix, Synaptics, and ELAN as targets for their research, with a newly-published blog post detailing the in-depth process of building a USB device that can perform a man-in-the-middle (MitM) attack. Such an attack could provide access to a stolen laptop, or even an "evil maid" attack on an unattended device. A Dell Inspiron 15, Lenovo ThinkPad T14, and Microsoft Surface Pro X all fell victim to fingerprint reader attacks, allowing the researchers to bypass the Windows Hello protection as long as someone was previously using fingerprint authentication on a device. Blackwing Intelligence researchers reverse engineered both software and hardware, and discovered cryptographic implementation flaws in a custom TLS on the Synaptics sensor. The complicated process to bypass Windows Hello also involved decoding and reimplementing proprietary protocols.

so much work when just a gummy bear can clone an p

[Joe_Dragon]

so much work when just a gummy bear can clone an print.

Re:

[NotEmmanuelGoldstein]

... a gummy bear can ...

A fingerprint is a photo-negative of the actual image. Either the sensor can't tell between a positive or negative, or the story has been hollywood-ified: Important facts changed so people don't learn how to be a criminal.

If you're the target of a government...

[Tony Isaac]

They're going to find a way in. This attack is literally at that scale, in terms of cost and sophistication.

This is *not* an attack that will be useful to someone who happens to pick up the laptop you accidentally left behind in a hotel room.

Also, don't use fingerprint authentication for things you really need to secure. If your password is compromised, you can change it. If your fingerprint is compromised, sorry, you're stuck with it.

Re: If you're the target of a government...

[strUser_Name]

A typed password is easily recorded using a mobile phone by someone standing at a distance of a few meters. Easily recorded and easily reproduced. I would not advocate for passwords.

Re:

[Tony Isaac]

Of course, every form of authentication has a drawback of some kind.

It's pretty easy to pick up someone's fingerprint, too. This is why police investigators rely on fingerprint analysis so heavily.

A password by itself isn't that difficult to defeat, but a password combined with MFA is pretty decent. Many MFA methods use a short-lived code that must be typed. Using a fingerprint as one of the two factors turns your 2FA into 1FA once your fingerprint is compromised.

Re: If you're the target of a government...

[strUser_Name]

Agreed.

Re:If you're the target of a government...

[Calydor]

Your password can be stolen.

So can your finger.

Which would you prefer?

Re:

[Tony Isaac]

To take your fingerPRINT they don't have to take your actual finger. So yes, I'd rather risk my password being stolen, because I can change that.

Re:

[The_Noid]

My password can't be stolen. If someone copies my password, I still have it, so it's not stolen, merely copied.

My finger, however, can be stolen...

Re:

[arglebargle_xiv]

Correction, the first time it's done it requires some technical expertise. The second time it just requires access to someone else's script.

Re:

[Tony Isaac]

Not with this particular hack. This hack requires skill, multiple steps, and the ability to build a USB device. I suppose someone could manufacture and sell these USB devices pre-made, but that raises the cost of the hack and erects a significant barrier.

Also, "The complicated process to bypass Windows Hello also involved decoding and reimplementing proprietary protocols."

Now, your would-be hacker is either spending lots of time and effort building all this stuff, or he's downloading pre-built kits and soft

Re:

[arglebargle_xiv]

The Lenovo one looks like it can be done in software only, boot Linux, grab the certs and keys, run a TLS session to the sensor with said keys, and enrol the attacker's fingerprint. Then boot Windows and use the newly-enrolled fingerprint to authenticate.

Re:

[Tony Isaac]

And you think that a typical script kiddie can follow all those steps?

Re:

[MachineShedFred]

Well you seem to think it takes governmental intelligence resources to do, so I wouldn't toss too many rocks.

Reality is somewhere between, and a whole hell of a lot closer to what they're saying than what you are.

Re:

[Tony Isaac]

I didn't say it takes a government. I used that as representative of one end of the spectrum, which is not typical of people who might want to break into your computer. Most thieves are just plain dumb.

Re:

[MachineShedFred]

Well, from your argumentation, you seem to think that every thief is "just plain dumb".

Yes, there are dumb thieves out there. However, there are plenty of crafty people that realize that a stolen laptop is worth more than the value of the hardware, especially in this day-and-age when hardware is increasingly trackable as soon as it hits the Internet, and can report it's location. Which means the hardware becomes decreasingly valuable, where the data contained within is increasingly valuable.

Do you think t

Re:

[Tony Isaac]

Do you think that thieves are just going to give up on electronic devices, or do you think they may adapt?

No, certainly not. They just know there are a thousand easier ways to get your personal data, than hijacking your fingerprint reader.

Engine immobilizers have cut car theft rates in half. https://www.vice.com/en/articl... [vice.com] The difference is, car manufacturers have been working on anti-theft technology for far longer than computer manufacturers have.

Script kiddies don't have what it takes to follow the steps necessary to carry out this attack, there are too many manual operations required.

Re:

[MachineShedFred]

Rebooting to a linux install on a USB device to enroll your fingerprint in the sensor's on-board memory, and then rebooting to Windows and logging in with the new fingerprint is only attainable by governments, in terms of cost and sophistication?

Or spoofing a USB VID/PID and sending back an "authenticated" response is only attainable by governments?

Or reading the clear text implementation Microsoft used in their own products, because turning on their own secure communications protocol was apparently just a

Re:

[Tony Isaac]

Yes, yes, and yes.

Only governments, because those with the skills to do such things, don't have the financial motivation to do so. The typical kind of person who wants to steal data from a laptop, isn't going to go to the lengths you described, or even know how to do so. And those who know how to do so, aren't really interested in breaking into random people's computers, they are doing it because they are paid to do it to reach a specific target.

If you think the scenarios you described are doable by typical

Re:

[MachineShedFred]

And yet some private researchers figured out all three without governmental resources.

Checkmate.

Re:

[Tony Isaac]

OK, so governments, and well-financed security firms. I'll give you that.

Those are not the people trying to break into your laptop.

Re:

[MoreDruid]

Yeah, because there's no such thing as corporate espionage. An infiltrator can easily be taught how to do this, especially since he already has physical access and knows the hardware being used in the company.

Those _are_ the people trying to break into laptops with valuable data.

Re:

[Tony Isaac]

Yes, there are people trying to do this. And they aren't likely after *your* computer.

Re:

[MoreDruid]

Sure, that's your call to make. Just admit to being wrong (and learn new stuff because of it) instead of countering every valid argument with "yeah but not for you".

Re:

[Tony Isaac]

I never admit to being wrong, just ask my wife!

Windows Hello still more secure than local account

[Tony Isaac]

With local accounts, you can break into a Windows computer with just a few steps. The only tool you need is a standard Windows install on a USB stick. https://www.wintips.org/how-to... [wintips.org]

Using this approach, you can enable the built-in Windows Administrator account, which by default has no password. You can then reset the password of other local accounts on that computer to whatever you want, and you're in.

If Windows Hello is being used, this hack doesn't work, because the only way to change another user's acc

Re:

[fph il quozientatore]

Well, you can't change their password, but you can still read all their data.

The critical factor is not local vs. Microsoft accounts, it's having full disk encryption vs. not having it.

Re:

[drinkypoo]

You don't need FDE to protect your data, that's for protecting your OS from malware when the system is turned off. Any encryption where the keys are not stored on the system will protect your data.

Re:

[Tony Isaac]

While disk encryption is important, it's a separate issue, not really related to the authentication method. If you have possession of someone's hard drive, you can easily use a SATA/USB adapter to connect the drive to another computer, and access all the files on it, without an administrator account or a password of any kind. So yes, you're right. But by accessing the drive in this way, you can't impersonate the legitimate user of the computer. With a local Windows account, you can.

Re:

[itsme1234]

If you can see and edit files under Windows\system32\config (and in particular the SAM db) it's game over, local account or not. If your attack starts with the assumption "I can just boot anything and then do what I like to the main OS disk, which is unencrypted" there is no defense for that.

Re:

[Tony Isaac]

It depends on your goal. Yes, if all you want is to read files on the drive, there are many attacks for that which don't require an administrator account or password of any kind, if the disk is not encrypted. You can use a SATA/USB adapter, for example. But this doesn't allow you to impersonate the user, as the local administrator account does, if the user is a local account.

So you're correct, but it's still true that Windows Hello is more secure than a local account.

Re:

[thegarbz]

If you can see and edit files under Windows\system32\config (and in particular the SAM db) it's game over, local account or not. If your attack starts with the assumption "I can just boot anything and then do what I like to the main OS disk, which is unencrypted" there is no defense for that.

Why is your main disk unencrypted? If your argument is that something is insecure because you're too stilly to follow the installation instructions on a new install of Windows then it's not a very good argument. Every OS including the cheap "Home" editions of Windows ones support automatic encryption of your boot drive and indeed guide you through the setup process during install.

Re:

[itsme1234]

You hit "reply" on the wrong post, I'm just answering the GP, who is ASSUMING the disk is unencrypted and then fiddling with this or that is more or less secure, when in fact everything is just widely open.

Re:

[ledow]

Unless you activated Bitlocker like you're supposed to.

Re:

[Tony Isaac]

Very few personal users do so, or even know it exists.

Many businesses these days are starting to use Bitlocker. But they were already protected against the default administrator attack, because they use domain authentication, which has the same security advantage as Windows Hello: The administrator account can't override a user's password like it can with a local user.

Re:

[olmsfam]

Its turned on by default now on most machines out of the box, surfaces, most lenovo's, dells etc any machine I've looked at has bitlocker on by default.

Quote from HP "By default, BitLocker encryption is enabled on computers that support Modern Standby, regardless of the Windows 10 version (Home, Pro, and so on) installed."

so no... this isnt really a thing anymore.

Re:

[Tony Isaac]

According to this HP KnowledgeBase article https://support.hp.com/us-en/d... [hp.com].

NOTE: BitLocker Drive Encryption is not available on devices running the Windows 11 and Windows 10 Home operating systems.

Re:

[olmsfam]

Yeah they don't call it "Bitlocker" except on pro, its called "device encryption" and you have less control over what it does but AFAIK its the same on Home edition.

https://www.pcworld.com/articl... [pcworld.com]

Requires modern standby, TPM etc but thats a minimum for windows 11 anyway. So gone are the days of just popping out the HDD to save loved ones photos....

Re:

[Tony Isaac]

That's all good, but the system, whatever you call it, doesn't ask you for a password or PIN on boot-up. So as long as you can turn the thing on, there's nothing blocking you from accessing files on that drive. The only protection you get from that disk encryption, is if you physically remove the drive.

Re:

[olmsfam]

yes, that's the sole point of disk encryption and yes its job is to protect the AT REST. Once the OS is booted it is the OS's (linux, windows) job to protect the data access through passwords and secure design.

The reason it doesn't need a pin or password is because TPM. Everyone hates TPM but no one understands it. It is the device on the pc you don't own. The OS and motherboard trusts it and only interacts with is to do things like disk encryption keys etc.

It allows the system to boot securely without huma

TPM requirement

[Torodung]

Well! I'm glad we're required to have a TPM now to make our systems more...

Oh wait. Crackers gonna crack. Clearly, the only thing TPM is good for is eventual OS lock-in, but white hats will jailbreak that too. A TPM hardware component has to be talked to by a software implementation.

The weak spot in security is always either software implementation or social engineering/laziness. Usually the latter. No amount of trumped-up, much touted technology will change that.

Requiring it is a load of bollocks. TPM usag

Re:

[theendlessnow]

Also remember, there's a reason why (today) it has to be TPM 2.0 (version emphasis). "Things" work for today. And not necessarily for tomorrow.

Re:

[codebase7]

The definition and purpose of a TPM means it can never be trusted. Why? Because it's definition is that it is a "secure" processing chip for pre-generated* cryptographic keys and it's purpose is to use the keys burned into it at the factory to "attest" that the owner of the chip hasn't altered the TPM itself / the OS / Firmware. While keeping those keys hidden from everyone forever. Including the chip's owner.

Only the ignorant would fully trust those keys or the output that the chip generates, but once ag

Biometrics are bad

[Rosco P. Coltrane]

because once hacked, you can't change your credentials.

Re:

[thegarbz]

False. No one is hacking your physical fingerprint. They are hacking a seeded cryptographic hash of an analysis of your print. The hash, the seed, and the algorithm can be changed when hacked.

And if someone cuts off your index finger you need to change your credentials anyway otherwise you wouldn't be able to log in.

Re: Biometrics are bad

[reanjr]

It's actually easier to pull a print and duplicate it. Having your fingerprint stolen (or other biometrics) is a real risk if you are an actual target.

Re:

[thegarbz]

It's actually easier to pull a print and duplicate it. Having your fingerprint stolen (or other biometrics) is a real risk if you are an actual target.

Pulling a print is not the same as a hack to compromise a key.