November 25, 2024

Windows Hello Vulnerabilities: Researchers bypass fingerprint-based Microsoft’s Windows Hello verification system: Report

[ad_1]

Security researchers have discovered new vulnerabilities in Microsoft’s Windows Hello fingerprint authentication system. Researchers at cybersecurity firm Blackwing Intelligence have found that the authentication system can be bypassed on laptops from Dell, Lenovo and even Microsoft. Security experts have found multiple vulnerabilities in the top three fingerprint sensors that are embedded into laptops.This system is used widely by businesses to secure laptops with Windows Hello fingerprint authentication.
Microsoft’s Offensive Research and Security Engineering (MORSE) asked the cybersecurity company to evaluate the security of its fingerprint sensors. In October, the researchers provided their findings in a presentation at the tech giant’s BlueHat conference. Fingerprint sensors are now widely used by Windows laptop users. Microsoft has also pushed Windows Hello for a passwordless future.
A few years ago, Microsoft revealed that nearly 85% of consumers were using Windows Hello to sign into Windows 10 devices instead of using a password. It is important to note that Microsoft also counts a simple PIN as Windows Hello.
Vulnerabilities in Windows Hello authentication system
The security team identified popular fingerprint sensors from Goodix, Synaptics and ELAN as targets for the research. In a blog post, the company explained how a USB device can be built to perform a man-in-the-middle (MITM) attack. Such an attack could provide access to a stolen laptop, or even an “evil maid” attack on an unattended device.

Laptop models including Dell Inspiron 15, Lenovo ThinkPad T14 and Microsoft Surface Pro X

were affected by the fingerprint reader attacks. This allowed the researchers to bypass the Windows Hello protection as long as the fingerprint authentication had been set up on a device earlier.
The research team reverse-engineered both software and hardware and discovered cryptographic implementation flaws in a custom TLS on the Synaptics sensor. The complicated process to bypass Windows Hello also involved decoding and reimplementing proprietary protocols.
This isn’t the first time that Windows Hello biometrics-based authentication has been bypassed. In 2021, the company was forced to fix a Windows Hello authentication bypass vulnerability after a proof-of-concept involving capturing an infrared image of a victim to spoof Windows Hello’s facial recognition feature surfaced.



[ad_2]

Source link