.png){kind=small}
If you have a Windows laptop, then you probably have come across Windows Hello. It's a biometric login that on supported laptops, allows users to login with either a facial scan, an iris scan, or a fingerprint scan. In the case of using a fingerprint to get into your laptop, though, be warned: researchers from Blackwing HQ have bypassed Windows Hello on three different laptops from Dell, Lenovo, and Microsoft.
Microsoft’s Offensive Research and Security Engineering (MORSE) asked the researchers to evaluate the security of the top three fingerprint sensors embedded in laptops. They found vulnerabilities that allowed them to completely bypass Windows Hello authentication on all three, and the researchers provided their findings in a presentation at Microsoft’s BlueHat conference in October.
The team identified popular fingerprint sensors from Goodix, Synaptics, and ELAN as targets for their research, with a newly-published blog post detailing the in-depth process of building a USB device that can perform a man-in-the-middle (MitM) attack. Such an attack could provide access to a stolen laptop, or even an “evil maid” attack on an unattended device. A Dell Inspiron 15, Lenovo ThinkPad T14, and Microsoft Surface Pro X all fell victim to the attack.
You can watch their talk down below:
First but foremost, it’s important to know that for these vulnerabilities to be exploitable, fingerprint authentication needs to be set up on the target laptop. The three sensors the researchers looked at were all of the “match on chip” type. This means that a separate chip stores the biometric credentials (in this case the fingerprints), making it almost impossible to hack into.
The communication between the sensor and the laptop is done over a secure channel, set up through the Secure Device Connection Protocol (SDCP) created by Microsoft.
SDCP aims to answer three questions about the sensor:
How can the laptop be certain it’s talking to a trusted sensor and not a malicious one?
How can the laptop be certain the sensor hasn’t been compromised?
How is the raw input from the sensor protected?
The input has to be authenticated
The input is fresh and can’t be re-playable.
So, what could go wrong?
The researchers were still able to spoof the communication between sensor and laptops. They were able to fool the the laptops using a USB device which pretended to be its sensor, and sent a signal that an authorized user had logged in.
The bypasses are possible because the device manufacturers did not use SDCP to its full potential:
The ELAN sensor commonly used in Dell and Microsoft Surface laptops lacks SDCP support and transmits security identifiers in cleartext.
Synaptics sensors, used by both Lenovo and Dell, had turned SDCP off by default and used a flawed custom Transport Layer Security (TLS) stack to secure USB communications.
The Goodix sensors, also used by both Lenovo and Dell, could be bypassed because they are suitable for Windows and Linux, which does not support SDCP. The host driver sends an unauthenticated configuration packet to the sensor to specify what database to use during sensor initialization.
The recommendation of the researchers to the manufacturers is clear: SDCP is a powerful protocol, but it doesn’t help if it isn’t enabled or when it can be bypassed by using other weak links in your setup.
The fact that three manufacturers were mentioned by name doesn’t mean by any stretch that others have done a better job. It just means the researchers didn’t get round to testing them.
To quote the researchers from Blackwing HQ:
"Microsoft did a good job designing SDCP to provide a secure channel between the host and biometric devices, but unfortunately device manufacturers seem to misunderstand some of the objectives. Additionally, SDCP only covers a very narrow scope of a typical device’s operation, while most devices have a sizable attack surface exposed that is not covered by SDCP at all.
Finally, we found that SDCP wasn’t even enabled on two out of three of the devices we targeted."
Blackwing Intelligence recommends that vendors manufacturing biometric authentication solutions ensure SDCP is enabled, as it will not help thwart attacks if it's not toggled on.
This year, we've seen Microsoft become more "intentional" in its drive towards a passwordless future, especially with its most recent move designed to allow Windows 11 users to log into websites that support passkeys using Windows Hello. Additionally, it also allows users to manage their passkeys on saved Windows devices, including deleting passkeys through the Windows Settings app.
Microsoft said three years ago that the number of users signing into their Windows 10 devices using Windows Hello instead of using a password grew to 84.7 percent from 69.4 percent in 2019. With more people now hopping onto the passwordless train with Windows Hello, it creates a high level of uncertainty among users. This ultimately makes it even harder to decide whether they should fully transition to the passwordless approach or stick to pins.
What Can You Do?
Rest assured that it's very unlikely any attack like this would happen to you. These are highly-specialized attacks that require a lot of effort on the part of the attacker, and they also need physical access to your laptop. If that is a problem, then the best way forward is to at least disable Windows Hello entirely for now. Disabling Windows Hello should hopefully be enough, as it will require you to login manually and the system won't be expecting a fingerprint sensor to log in at all.
Furthermore, users should look out for and install any updates regarding Windows Hello software, and avoid using fingerprints on public computers to protect against this vulnerability.
コメント