[German]Microsoft is using Windows Hello in its operating system for password-free login. This is supposed to be more secure than a password, as it cannot be stolen. Security researchers were asked by Microsoft's Offensive Research and Security Engineering (MORSE) to check the security of the fingerprint sensors and thus of Windows Hello. During the evaluation, the researchers discovered several vulnerabilities and were able to trick the fingerprint sensors in Dell Inspiron 15, Lenovo ThinkPad T14 and Microsoft Surface Pro X laptops.
Advertising
The topic became public a few days ago, in addition to tips from readers here on the blog (thanks), I also saw the tip on BlueSky in the following post. The research was documented by the security researchers at Blackwing Intelligence here; The Hacker News has summarized it here.
Fingerprint sensors from most providers that are installed in devices use a type of sensor known as "Match on Chip" (MoC). MoC sensors have a microprocessor and a memory integrated in the chip. All matching of stored (set up) and actual fingerprints and other biometric management functions are performed directly by this circuitry in the sensor. The researchers write that the matching of fingerprints can be carried out securely in the chip.
A database of "fingerprint templates" (the biometric data captured by the fingerprint sensor) is stored on the chip, and enrolment and matching are performed directly on the chip. In this way, the MoC prevents attackers from transferring stored fingerprint data to the host (in this case Windows Hello) for matching. This approach also prevents attacks in which images of valid fingerprints are simply sent to the host for comparison.
However, security researchers Jesse D'Aguanno and Timo Teräs have now discovered that the chip cannot currently prevent a "malicious" or manipulated sensor from manipulating the communication of a legitimate sensor with the host and falsely claiming that an authorized user has successfully authenticated themselves.
Advertising
While Microsoft has developed the Secure Device Connection Protocol (SDCP), which aims to prevent some of these issues during communication by creating a secure end-to-end channel, researchers have uncovered a novel method that can be used to circumvent these safeguards and carry out Adversary-in-the-Middle (AitM) attacks.
They found that the ELAN sensor is vulnerable to a combination of attacks that the researchers call sensor spoofing. This method of attack is due to the lack of SDCP support and the plain text transmission of security identifiers (SIDs) in the ELAN sensor. There, any USB device can impersonate a fingerprint sensor and claim that an authorized user is logging in.
Not only was SDCP disabled by default on the Synaptics sensor, but the implementation also relied on a flawed custom Transport Layer Security (TLS) stack to secure USB communication between the host driver and the sensor. This can be tampered with to bypass biometric authentication.
The exploitation of the vulnerabilities in the Goodix sensor is based on the fact that SDCP is not supported (this means that the attack works under Linux and Windows). Windows requires Windows Hello to be set up and the computer to be booted for an attack on the device. Here, a BIOS password could form a lock to prevent unauthorized use. However, this counteracts the biometric login via fingerprint. A video of the presentation at the BlueHat conference in October 2023 can be found on YouTube. Details of the attacks can be found in the researchers' linked document.
Advertising
