Researchers find flaws in Windows Hello fingerprint authentication

Windows Hello biometric authentication has been breached by researchers. This Tuesday (21), Blackwing Intelligence group announced: He managed to bypass the security mechanism on Dell, Lenovo and Microsoft computers.

The group’s research was a request made by the Microsoft Attack Research and Security Engineering (MORSE) team in October this year. “Our research uncovered several vulnerabilities that our team successfully exploited, allowing us to completely bypass Windows Hello authentication on three laptops,” Blackwing Intelligence explains.

The sensors tested belonged to the brands Goodix, Synaptics and ELAN, which equip three best-selling computers for companies: Dell Inspiron 15, Lenovo ThinkPad T14 and Microsoft Surface Pro Type Cover with Fingerprint ID. TAll of their security mechanisms were breached by researchers.

According to Blackwing Intelligence, detection of the breaches occurred through reverse engineering of the device’s software and hardware, and flaws were discovered in the cryptographic implementation of a customized TLS in the Synaptics component.

The nature of the gaps is due to the lack of implementation of Microsoft’s Secure Device Connection Protocol (SDCP) mechanism. Therefore, the decision to implement the feature is up to the manufacturers.

Windows Hello is a popular method

The discovery of the flaw is bad news for computer users with Windows Hello that have the biometrics feature enabled. Three years ago, Microsoft announced that approximately 85% of users had adopted the authentication method and that PIN entry was one of the options of the tool.

However, this is not the first flaw discovered in Windows Hello. In 2021, the company needed to fix a flaw in the system (also in biometric authentication) to prevent unauthorized access to Windows 10.