Title: Major Security Vulnerabilities Found in Top Laptop Fingerprint Sensors
Security researchers have recently uncovered serious vulnerabilities in the embedded fingerprint sensors on popular laptop models, including Dell Inspiron, Lenovo ThinkPad, and Microsoft Surface Pro X. These vulnerabilities were discovered as part of a research project sponsored by Microsoft’s Offensive Research and Security Engineering (MORSE) program.
The vulnerabilities were found in the top three embedded fingerprint sensors used for Windows Hello fingerprint authentication. Specifically, the researchers targeted sensors made by ELAN, Synaptics, and Goodix.
Although the fingerprint sensors used in the tested laptops were Match-on-Chip (MoC) sensors, which are considered secure, the researchers discovered that they are still susceptible to attacks. These attacks involve a malicious sensor mimicking the communication between a legitimate sensor and the host.
Microsoft developed the Secure Device Connection Protocol (SDCP) to address these weaknesses. However, in their research, the team was able to bypass Windows Hello authentication using man-in-the-middle (MiTM) attacks. With the help of a Linux-powered Raspberry Pi 4 device and software and hardware reverse-engineering techniques, they were able to exploit cryptographic implementation flaws and proprietary protocols.
The researchers successfully achieved authentication bypass on Dell and Lenovo laptops by enrolling the attacker’s fingerprint using a legitimate user’s ID. Additionally, the ELAN fingerprint sensor used in the Microsoft Surface device lacked SDCP protection and used unencrypted USB communication, making it susceptible to spoofing.
While the researchers praised Microsoft’s SDCP as an effective countermeasure, they criticized device manufacturers for their limited understanding of its objectives and scope. To prevent such attacks, security experts at Blackwing Intelligence recommend that biometric authentication solution vendors ensure SDCP is enabled on their devices.
Microsoft, who has seen a significant increase in users adopting Windows Hello for device logins instead of passwords, should take this discovery seriously as it impacts their users’ security.
In conclusion, these vulnerabilities serve as a reminder of the ongoing need for vigilant security measures in technology. Users should remain cautious and ensure that their devices are equipped with the latest security updates to mitigate the risks associated with these vulnerabilities.
“Infuriatingly humble tv expert. Friendly student. Travel fanatic. Bacon fan. Unable to type with boxing gloves on.”