Fingerprint scanners installed on some of the most popular enterprise-grade laptops are far less secure than hoped, with researchers finding they could successfully bypass the biometric authentication on Dell, Lenovo, and Microsoft Surface machines.
Over three months, the team at Blackwing Intelligence successfully busted into common fingerprint scanners used for Windows Hello authentication.
Microsoft sponsored the research to see how well manufacturers were implementing its biometric authentication standards were – and the results are far from comforting.
“Biometric authentication can be super useful to allow users to conveniently log in,” the researchers said.
“This is especially useful in mobile scenarios, allowing the user to choose a long password to protect against decrypting their data, while letting them access their device throughout the day without the inconvenience of entering the long password.
“It’s also a key to a future of passwordless device authentication.”
The three devices Blackwing tested were the Dell Inspiron 15, Lenovo ThinkPad T14, and a Microsoft Surface Pro with a Type Cover peripheral that has fingerprint ID, each of which have ‘match on chip’ sensors designed to allow “fingerprint matching to be performed securely within the chip”.
Device manufacturers appeared to “misunderstand some of the objectives” of Microsoft’s Secure Device Connection Protocol (SDCP), which is designed to allow for secure biometric authentication through fingerprint scans.
“We found that SDCP wasn’t even enabled on two out of three of the devices we targeted,” the researchers said.
Fingerprint data is stored on the sensor chip’s dedicated storage and cross-referenced with a user’s scan when they try to sign in.
“Since fingerprint templates never leave the chip, this eliminates privacy concerns of biometric material being stored, and potentially exfiltrated, from the host – even if the host is compromised,” the Blackwing researchers wrote.
Microsoft requires that any devices using Windows Hello Advanced Sign-in Security to have match on chip – as opposed to match on host – capabilities.
SDCP is a set of protocols and standards that uses “an end-to-end secure channel between the host and the fingerprint sensor” that leans on cryptographic principles from Secure Boot to ensure on-device data can be trusted.
The Blackwing team said Microsoft “did a good job of designing SDCP to provide a secure channel between the host and biometric devices” but sadly manufacturers were failing to implement it.
Each device needed a different set of exploits.
For the Dell, it required disconnecting the fingerprint sensor and plugging it into an external device that rewrites the sensor’s config packet so it instead points to a Linux database of fingerprints that allows the attacker to spoof credentials of a target account on Windows machine.
For the Lenovo, Blackwing attacked the transport layer security (TLS) stack that was used “to secure USB communication between the host driver and sensor” – which they were able to do.
For the Surface, it was a simple matter of spoofing the Type Cover with a USB device and logging in from there.
All up, the researchers said their attacks showed is a need for vendors to be more careful when implementing fingerprint ID on Windows devices and to, at a minimum, ensure SDCP was enabled.
