Researchers Undermine Windows Hello on Lenovo, Dell, Surface Pro PCs

  /     /     /  
Publicated : 23/11/2024   Category : security


Researchers Undermine Windows Hello on Lenovo, Dell, Surface Pro PCs


Biometric security on PCs isnt quite as bulletproof as you might think, as the line between sensors and host computers can be tampered with.



Researchers have figured out how to compromise three of the most common fingerprint readers used by todays PCs.
With support from Microsoft, analysts from Blackwing Intelligence attempted to
subvert the biometric security
offered by three sample laptops: a Dell Inspiron 15, a Lenovo ThinkPad T14, and the Microsoft Surface Pro 8/X. In the course of the study, they discovered ways to exploit each of the three brands of print sensors used by those devices for Microsofts sign-in service, Windows Hello.
Each such exploit required that a user already had fingerprint authentication enabled, and that the attacker had physical access to the device.
Though the sensors themselves read fingerprints perfectly well, the analysts were able to take advantage of the line of communication between those sensors and their host devices.
Though neither he nor Dark Reading could confirm it as of this writing, Jesse DAguanno, CEO and director of research at Blackwing Intelligence, told this publication that the manufacturers — Goodix, Synaptics, and Elan — have since patched their chips.
By default, Windows Hello requires that fingerprint readers are match-on-chip (MoC), as opposed to match-on-host (MoH). MoC means that they have microprocessors and storage built in, eliminating the need to process and store sensitive biometric data on the host computer. That way privacy is maintained, even if the host is compromised.
While MoC might prevent a hacker from obtaining access using a stored copy of fingerprint data, it doesnt on its own prevent a malicious sensor from stepping in for the legitimate one and claiming a successful authentication attempt, or simply replaying a previously successful attempt.
To secure end-to-end communication between sensor and host, Microsoft developed the Secure Device Connection Protocol (SDCP). However, two of the three readers in question did not have SDCP enabled by default, and a third suffered from imperfect implementation.
Because Elan sensors didnt have SDCP turned on, for example, and because they transmitted security IDs in cleartext, the researchers were able to simply use a USB as a stand-in, convincing the host machine of an authorized login.
Synaptics also skimped on SDCP protection, and for Goodix-protected computers with both Windows and Linux installed, the researchers were able to more circuitously take advantage of the fact that Linux doesnt support SDCP.
DAguannos study was limited to three laptops, serviced by three models of fingerprint reader. Its possible that the similar kinds of vulnerabilities remain undiscovered and unaddressed in more chips, and more computers around the world that rely on them.
Whether its other manufacturers or other environments like Linux, or in the Apple ecosystem, theres potential there as well, of course, DAguanno says.
For what its worth, though, his research hasnt spoiled his faith in biometrics.
There are a lot of security professionals that think biometrics are really bad, inherently. I actually feel like appropriate use of biometrics can bolster security in a lot of ways, he says. It can allow you to choose a longer, more secure password that then is also used for other security mechanisms like generating more secure encryption keys for securing your data. So the use of biometrics then gives you that
level of convenience
.

Last News

▸ CryptoWall is more widespread but less lucrative than CryptoLocker. ◂
Discovered: 23/12/2024
Category: security

▸ Feds probe cyber breaches at JPMorgan, other banks. ◂
Discovered: 23/12/2024
Category: security

▸ Security Problem Growing for Dairy Queen, UPS & Retailers, Back off ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Researchers Undermine Windows Hello on Lenovo, Dell, Surface Pro PCs