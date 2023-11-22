Authentication via Microsoft’s Windows Hello fingerprint was bypassed on Dell, Lenovo and even Microsoft branded laptops. Blackwing Intelligence researchers have discovered several vulnerabilities in the three main fingerprint sensors integrated into laptops and widely used by companies.

Microsoft’s Offensive Research and Security Engineering (MORSE) asked Blackwing Intelligence to evaluate the security of fingerprint sensors, and the researchers provided their findings in a presentation at Microsoft’s BlueHat conference in October.

The team identified popular fingerprint sensors from Goodix, Synaptics and ELAN as targets for their research, with a blog post detailing the in-depth process of building a USB device capable of carrying out a MitM attack. A Dell Inspiron 15, a Lenovo ThinkPad T14 and a Microsoft Surface Pro victims of fingerprint reader attacksallowing researchers to bypass Windows Hello protection, as long as someone has previously used fingerprint authentication on a device.

Researchers at Blackwing Intelligence reverse engineered both the software and hardware and found cryptographic implementation flaws in a custom TLS on the Synaptics sensor. The complicated process of bypassing Windows Hello also involved reverse engineering and reimplementing proprietary protocols.