Researchers at cybersecurity firm Blackwing Intelligence have identified new vulnerabilities in Microsoft’s Windows Hello fingerprint authentication system.
The authentication system, used widely by businesses to secure laptops, can reportedly be bypassed on devices from Dell, Lenovo, and Microsoft.
The security team evaluated fingerprint sensors from Goodix, Synaptics, and ELAN, identifying them as targets for the research.
They discovered cryptographic implementation flaws in a custom TLS on the Synaptics sensor and outlined how a USB device could be built to perform a man-in-the-middle attack, providing access to a stolen laptop or enabling an “evil maid” attack on an unattended device.
The affected laptop models include Dell Inspiron 15, Lenovo ThinkPad T14, and Microsoft Surface Pro X.
Microsoft’s Offensive Research and Security Engineering (MORSE) engaged Blackwing Intelligence to assess the security of its fingerprint sensors, and the findings were presented at the BlueHat conference in October.
