Security News > 2023 > November > Windows Hello auth bypassed on Microsoft, Dell, Lenovo laptops

Windows Hello auth bypassed on Microsoft, Dell, Lenovo laptops
2023-11-22 19:08

Security researchers bypassed Windows Hello fingerprint authentication on Dell Inspiron, Lenovo ThinkPad, and Microsoft Surface Pro X laptops in attacks exploiting security flaws found in the embedded fingerprint sensors.

Blackwing Intelligence security researchers discovered vulnerabilities during research sponsored by Microsoft's Offensive Research and Security Engineering to assess the security of the top three embedded fingerprint sensors used for Windows Hello fingerprint authentication.

To counteract attacks that would exploit these weaknesses, Microsoft developed the Secure Device Connection Protocol, which should've ensured that the fingerprint device was trusted and healthy and that the input between the fingerprint device and the host was protected on the targeted devices.

Despite this, the security researchers successfully bypassed Windows Hello authentication using man-in-the-middle attacks on all three laptops, leveraging a custom Linux-powered Raspberry Pi 4 device.

On Dell and Lenovo laptops, authentication bypass was achieved by enumerating valid IDs and enrolling the attacker's fingerprint using the ID of a legitimate Windows user.

Microsoft said three years ago that the number of users signing into their Windows 10 devices using Windows Hello instead of using a password grew to 84.7 percent from 69.4 percent in 2019.


News URL

https://www.bleepingcomputer.com/news/security/windows-hello-auth-bypassed-on-microsoft-dell-lenovo-laptops/