Security News > 2023 > November > Windows Hello auth bypassed on Microsoft, Dell, Lenovo laptops
Security researchers bypassed Windows Hello fingerprint authentication on Dell Inspiron, Lenovo ThinkPad, and Microsoft Surface Pro X laptops in attacks exploiting security flaws found in the embedded fingerprint sensors.
Blackwing Intelligence security researchers discovered vulnerabilities during research sponsored by Microsoft's Offensive Research and Security Engineering to assess the security of the top three embedded fingerprint sensors used for Windows Hello fingerprint authentication.
To counteract attacks that would exploit these weaknesses, Microsoft developed the Secure Device Connection Protocol, which should've ensured that the fingerprint device was trusted and healthy and that the input between the fingerprint device and the host was protected on the targeted devices.
Despite this, the security researchers successfully bypassed Windows Hello authentication using man-in-the-middle attacks on all three laptops, leveraging a custom Linux-powered Raspberry Pi 4 device.
On Dell and Lenovo laptops, authentication bypass was achieved by enumerating valid IDs and enrolling the attacker's fingerprint using the ID of a legitimate Windows user.
Microsoft said three years ago that the number of users signing into their Windows 10 devices using Windows Hello instead of using a password grew to 84.7 percent from 69.4 percent in 2019.
News URL
Related news
- Microsoft: Windows Recall now can be removed, is more secure (source)
- Recall the Recall recall? Microsoft thinks it can make that Windows feature palatable (source)
- Microsoft fixes Windows KB5043145 reboot loops, USB and Bluetooth issues (source)
- What Is Inside Microsoft’s Major Windows 11 Update? (source)
- Microsoft warns of Windows 11 24H2 gaming performance issues (source)
- Microsoft blocks Windows 11 24H2 on some Intel PCs over BSOD issues (source)
- Microsoft Office 2024 now available for Windows and macOS users (source)
- Microsoft fixes Remote Desktop issues caused by Windows Server update (source)
- Microsoft: Windows 11 22H2 Home and Pro reached end of servicing (source)
- Microsoft deprecates PPTP and L2TP VPN protocols in Windows Server (source)