A team of white hat hackers with Blackwing Intelligence have found security vulnerabilities in the fingerprint authentication system of Microsoft’s Windows Hello security platform. They were invited to look for them by Microsoft’s Offensive Research and Security Engineering (MORSE) group, and engaged in a complex reverse engineering process that ultimately allowed them to hack Dell Inspiron 15, Lenovo ThinkPad T14, and Microsoft Surface Pro X laptop devices.
The crux of the issue was the vulnerability of the communications channel between a given sensor and its host device. The researchers effectively tricked the authentication system through a multi-faceted attack that involved several steps:
Reverse Engineering: The researchers first reverse-engineered the software and hardware of the fingerprint sensors. This step was crucial to understand how the sensors communicated with the laptops and the security mechanisms in place.
Exploiting Cryptographic and Protocol Flaws: They identified and exploited flaws in the cryptographic implementations and proprietary protocols used by the fingerprint sensors. This allowed them to understand and manipulate the communication between the sensors and the host computers.
Manipulating Sensor Communication: For some of the laptops, they manipulated the communication between the host and the sensor. This included intercepting and rewriting configuration packets sent from the host to the sensor. By doing this, they could make the host believe that a legitimate authentication had occurred.
Spoofing and Bypassing Authentications: In the case of the Microsoft Surface Pro, they found that any USB device could impersonate the ELAN sensor (used in the Surface Pro’s Type Cover) by spoofing its Vendor ID and Product ID. They could then falsely claim that an authorized user had successfully authenticated.
Creating a Man-in-the-Middle (MitM) Setup: For the Dell Inspiron, they set up a USB Man-in-the-Middle (MitM) attack. This involved disconnecting the built-in fingerprint sensor, connecting it to a Raspberry Pi, and then using the Pi to intercept and alter the communications between the sensor and the laptop.
In a report on their work, the Blackwing researchers noted a disconnect between Microsoft’s secure channel design and the device manufacturers’ implementation, highlighting that in two out of the three devices, SDCP wasn’t even enabled.
“Microsoft did a good job designing Secure Device Connection Protocol (SDCP) to provide a secure channel between the host and biometric devices, but unfortunately device manufacturers seem to misunderstand some of the objectives,” the hackers explained.
November 22, 2023 – by the FindBiometrics Editorial Team