Security News > 2023 > November > How to give Windows Hello the finger and login as someone on their stolen laptop

How to give Windows Hello the finger and login as someone on their stolen laptop
2023-11-22 22:36

Hardware security hackers have detailed how it's possible to bypass Windows Hello's fingerprint authentication and login as someone else - if you can steal or be left alone with a vulnerable device.

The research focuses on bypassing Windows Hello's fingerprint authentication on three laptops: a Dell Inspiron 15, a Lenovo ThinkPad T14, and a Microsoft Surface Pro 8/X, which were using fingerprint sensors from Goodix, Synaptics, and ELAN, respectively.

As far as we can tell, this isn't so much a problem with Windows Hello or using fingerprints.

Windows Hello allows users to log into the OS using their fingerprint.

Crucially, the MITM electronics rewrites that config data on the fly to tell the chip to use the Linux database, and not the Windows database, for fingerprints.

Thus when the miscreant next touches their finger to the reader, the chip will recognize the print, return the ID number for that print from the Linux database, which is the same ID number associated with a Windows user, and Windows will log the attacker in as that user.


News URL

https://go.theregister.com/feed/www.theregister.com/2023/11/22/windows_hello_fingerprint_bypass/