November 22, 2023 at 09:06AM
Security researchers successfully bypassed fingerprint authentication on three popular laptops equipped with Windows Hello. Blackwing Intelligence and Microsoft’s MORSE conducted the research, targeting a Dell Inspiron 15, a Lenovo ThinkPad T14s, and a Microsoft Surface Pro X. The attacks required physical access to the devices and involved spoofing legitimate user IDs or instructing the system that an authorized user was logging in. Microsoft has released a video and Blackwing published a blog post detailing the findings.
Summary of Meeting Notes:
– Security researchers from Blackwing Intelligence and Microsoft’s MORSE conducted tests on fingerprint sensors used for Windows Hello on three popular laptops.
– The targets of the tests were a Dell Inspiron 15, Lenovo ThinkPad T14s, and Microsoft Surface Pro X, all with different fingerprint sensors.
– The sensors tested are Match-on-Chip, meaning the fingerprint data is stored directly on the chip and doesn’t leave the sensor.
– The attack demonstrated required physical access to the targeted device, either through theft or the evil maid method.
– The researchers bypassed Windows Hello fingerprint authentication on the Dell and Lenovo laptops by spoofing a legitimate user’s ID to enroll the attacker’s fingerprint.
– On the Surface device, the attacker needed to unplug the keyboard (Type Cover) with an embedded fingerprint sensor and connect a USB device to spoof the sensor and gain authorized access.
– Blackwing published a blog post detailing part of their findings, and Microsoft released a video of their presentation at the BlueHat conference in October.