In a recent investigation, a team from Blackwing Intelligence uncovered significant vulnerabilities in the fingerprint sensors of popular laptop models including the Dell Inspiron, Lenovo ThinkPad, and Microsoft Surface Pro X. This discovery was part of a project initiated by Microsoft’s Offensive Research and Security Engineering (MORSE), focusing on the integrity of widely used embedded fingerprint sensors in Windows Hello authentication systems.
The research effort, led by Blackwing’s Jesse D’Aguanno and Timo Teräs, concentrated on the embedded fingerprint sensors produced by ELAN, Synaptics, and Goodix. These sensors, integral to the security mechanisms of the Microsoft Surface Pro X, Lenovo ThinkPad T14, and Dell Inspiron 15, were found to have exploitable flaws, raising questions about the robustness of biometric security in these devices.
How researchers compromised these devices?
The fingerprint sensors in question, all being Match-on-Chip (MoC) varieties, are designed with their own microprocessor and storage. This design enables secure, internal fingerprint matching within the chip itself. However, a significant limitation emerged in this setup.
While MoC sensors effectively prevent the misuse of stored fingerprint data for authentication, they are not inherently designed to block a compromised sensor from imitating the communication patterns of a legitimate sensor. This flaw could result in false signals of successful user authentication or the replay of past interactions between the sensor and the host system.
In response to these potential vulnerabilities, Microsoft introduced the Secure Device Connection Protocol (SDCP). This protocol aimed to confirm the integrity and trustworthiness of the fingerprint device, as well as safeguard the data exchange between the fingerprint sensor and the host on these specific laptops.
Despite these measures, the researchers from Blackwing Intelligence managed to navigate around the Windows Hello authentication system on all three laptop models. They employed man-in-the-middle (MiTM) attacks, utilizing a custom setup involving a Raspberry Pi 4 running Linux. Their approach involved a mix of software and hardware reverse engineering, cracking cryptographic weaknesses in the Synaptics sensor’s custom TLS protocol, and deciphering and replicating proprietary communication protocols.
In the case of the Dell and Lenovo laptops, the security breach was accomplished through a method of identifying valid user IDs and substituting the attacker’s fingerprint for that of a legitimate Windows user. This was possible because the Synaptics sensor in these devices relied on a unique TLS stack for securing USB communication, rather than using Microsoft’s Secure Device Connection Protocol (SDCP).
For the Microsoft Surface device, which was equipped with an ELAN fingerprint sensor lacking SDCP safeguards, the situation was different. This sensor communicated in cleartext over USB and lacked authentication protocols. The researchers managed to imitate the fingerprint sensor by disconnecting the Surface’s Type Cover, which housed the sensor, and then sending valid login confirmations from this spoofed device.
The researchers pointed out a critical oversight in the implementation of security protocols by device manufacturers. “Microsoft did a good job designing SDCP to provide a secure channel between the host and biometric devices, but unfortunately device manufacturers seem to misunderstand some of the objectives,” they stated. They also highlighted a significant limitation of SDCP, noting, “Additionally, SDCP only covers a very narrow scope of a typical device’s operation, while most devices have a sizable attack surface exposed that is not covered by SDCP at all.” This statement underscores the gap between the design and implementation of security measures in these devices.
The investigation by Blackwing Intelligence revealed a critical oversight: the Secure Device Connection Protocol (SDCP), a key security feature, was not activated on two of the three laptops they examined. This finding led to a significant recommendation from the Blackwing team. They urged vendors of biometric authentication technologies to not only incorporate SDCP but also ensure it is actively enabled. The effectiveness of SDCP in deterring cyber attacks is nullified if it remains unused.
Reflecting on the broader context of biometric security, Microsoft had previously shared some enlightening statistics. Three years ago, the tech giant reported a notable shift in user behavior on Windows 10 devices. The proportion of users opting for Windows Hello biometric login over traditional passwords had surged to 84.7 percent, up from 69.4 percent in 2019. This marked increase underscores the growing reliance on biometric solutions for securing devices, making the findings of Blackwing Intelligence especially pertinent for both users and manufacturers.