Security News > 2023 > November > Windows Hello auth bypassed on Microsoft, Dell, Lenovo laptops
Security researchers bypassed Windows Hello fingerprint authentication on Dell Inspiron, Lenovo ThinkPad, and Microsoft Surface Pro X laptops in attacks exploiting security flaws found in the embedded fingerprint sensors.
Blackwing Intelligence security researchers discovered vulnerabilities during research sponsored by Microsoft's Offensive Research and Security Engineering to assess the security of the top three embedded fingerprint sensors used for Windows Hello fingerprint authentication.
To counteract attacks that would exploit these weaknesses, Microsoft developed the Secure Device Connection Protocol, which should've ensured that the fingerprint device was trusted and healthy and that the input between the fingerprint device and the host was protected on the targeted devices.
Despite this, the security researchers successfully bypassed Windows Hello authentication using man-in-the-middle attacks on all three laptops, leveraging a custom Linux-powered Raspberry Pi 4 device.
On Dell and Lenovo laptops, authentication bypass was achieved by enumerating valid IDs and enrolling the attacker's fingerprint using the ID of a legitimate Windows user.
Microsoft said three years ago that the number of users signing into their Windows 10 devices using Windows Hello instead of using a password grew to 84.7 percent from 69.4 percent in 2019.
News URL
Related news
- Microsoft to start force-upgrading Windows 22H2 systems next month (source)
- Microsoft fixes Windows Smart App Control zero-day exploited since 2018 (source)
- Microsoft fixes Windows Server performance issues from August updates (source)
- Microsoft says it broke some Windows 10 patching – as it fixes flaws under attack (source)
- Microsoft Issues Patches for 79 Flaws, Including 3 Actively Exploited Windows Flaws (source)
- Microsoft rolls out Office LTSC 2024 for Windows and Mac (source)
- Microsoft may have revealed Windows 11 24H2 is coming this month (source)
- Microsoft ends development of Windows Server Update Services (WSUS) (source)
- Microsoft: Windows Recall now can be removed, is more secure (source)
- Recall the Recall recall? Microsoft thinks it can make that Windows feature palatable (source)