November 22, 2023 at 10:30AM
Multiple vulnerabilities have been discovered in fingerprint sensors on Dell Inspiron 15, Lenovo ThinkPad T14, and Microsoft Surface Pro X laptops. The flaws allow bypassing Windows Hello authentication. Researchers found weaknesses in the fingerprint sensors from Goodix, Synaptics, and ELAN. Exploiting these vulnerabilities requires users to have fingerprint authentication set up. Microsoft’s Secure Device Connection Protocol (SDCP) aims to address these issues, but researchers found ways to circumvent the protections. Original equipment manufacturers (OEMs) are advised to enable SDCP and have fingerprint sensor implementations audited.
Key Takeaways from the Meeting Notes:
1. Researchers at Blackwing Intelligence discovered vulnerabilities in the fingerprint sensors on Dell Inspiron 15, Lenovo ThinkPad T14, and Microsoft Surface Pro X laptops.
2. The vulnerabilities are related to the fingerprint sensors from Goodix, Synaptics, and ELAN that are embedded in these devices.
3. The vulnerabilities can bypass Windows Hello authentication if users of the targeted laptops have fingerprint authentication set up.
4. All the fingerprint sensors are a type called “match on chip” (MoC), which integrates biometric management functions directly into the sensor’s circuit.
5. The MoC does not prevent a malicious sensor from spoofing a legitimate sensor’s communication with the host and falsely claiming successful authentication.
6. The MoC also does not prevent replay of previously recorded traffic between the host and sensor.
7. The researchers uncovered a novel method to circumvent the Secure Device Connection Protocol (SDCP) created by Microsoft and stage adversary-in-the-middle (AitM) attacks.
8. ELAN sensor is vulnerable due to a combination of sensor spoofing and cleartext transmission of security identifiers (SIDs).
9. Synaptics has SDCP turned off by default, relying on a flawed custom Transport Layer Security (TLS) stack for USB communications between the host driver and sensor.
10. Goodix sensor vulnerability takes advantage of differences in enrollment operations between Windows and Linux systems.
11. Mitigation recommendations include enabling SDCP and conducting audits of fingerprint sensor implementations by qualified experts.
12. This is not the first time Windows Hello biometrics-based authentication has been defeated.
13. Device manufacturers need to better understand the objectives of SDCP and address the larger attack surface not covered by SDCP.