If you have a Windows laptop, then you probably have come across Windows Hello. It's a biometric login that on supported laptops, allows users to login with either a facial scan, an iris scan, or a fingerprint scan. In the case of using a fingerprint to get into your laptop, though, be warned: researchers from Blackwing HQ have bypassed Windows Hello on three different laptops from Dell, Lenovo, and Microsoft.
Microsoft’s Offensive Research and Security Engineering (MORSE) asked the researchers to evaluate the security of the top three fingerprint sensors embedded in laptops. They found vulnerabilities that allowed them to completely bypass Windows Hello authentication on all three, and the researchers provided their findings in a presentation at Microsoft’s BlueHat conference in October.
The team identified popular fingerprint sensors from Goodix, Synaptics, and ELAN as targets for their research, with a newly-published blog post detailing the in-depth process of building a USB device that can perform a man-in-the-middle (MitM) attack. Such an attack could provide access to a stolen laptop, or even an “evil maid” attack on an unattended device. A Dell Inspiron 15, Lenovo ThinkPad T14, and Microsoft Surface Pro X all fell victim to the attack.
You can watch their talk down below:
First but foremost, it’s important to know that for these vulnerabilities to be exploitable, fingerprint authentication needs to be set up on the target laptop. The three sensors the researchers looked at were all of the “match on chip” type. This means that a separate chip stores the biometric credentials (in