Windows Hello fingerprint authentication has been bypassed on Dell, Lenovo and even Microsoft laptops. Security researchers at Blackwing Intelligence have discovered multiple vulnerabilities in three major fingerprint sensors that are built into laptops and are widely used by companies to protect information.
Microsoft's Offensive Research and Security Engineering (MORSE) division asked Blackwing Intelligence to evaluate the security of fingerprint sensors, and the researchers presented their findings in a presentation at Microsoft's BlueHat conference in October. The objects of research were fingerprint sensors from Goodix, Synaptics and ELAN. To get around this, they created a USB device that can perform a MitM (man-in-the-middle) attack. Such an attack could provide access to a stolen laptop or even a device that was left unattended, The Verge reports.
The Dell Inspiron 15, Lenovo ThinkPad T14 and Microsoft Surface Pro X were victims of attacks on their fingerprint scanners, allowing researchers to bypass Windows Hello security if someone had previously used fingerprint authentication on them. Blackwing Intelligence researchers reverse-engineered both the software and hardware and identified flaws in the cryptographic implementation in the custom TLS (cryptographic protocol) on the Synaptics sensor. The complex process of bypassing Windows Hello also involved decoding and reimplementing proprietary protocols.
This isn't the first time Windows Hello's biometric-based authentication has failed. Microsoft was forced to patch the Windows Hello authentication bypass vulnerability in 2021 after a proof of concept involved capturing a victim's infrared image to spoof Windows Hello's facial recognition feature.