Microsoft’s Windows Hello fingerprint authentication has been bypassed

Topic

New Reply

https://www.theverge.com/2023/11/22/23972220/microsoft-windows-hello-fingerprint-authentication-bypass-security-vulnerability

Security researchers have found flaws in the way laptop manufacturers are implementing fingerprint authentication.

Microsoft’s Windows Hello fingerprint authentication has been bypassed on laptops from Dell, Lenovo, and even Microsoft. Security researchers at Blackwing Intelligence have discovered multiple vulnerabilities in the top three fingerprint sensors that are embedded into laptops and used widely by businesses to secure laptops with Windows Hello fingerprint authentication…

Microsoft’s Offensive Research and Security Engineering (MORSE) asked Blackwing Intelligence to evaluate the security of fingerprint sensors, and the researchers provided their findings in a presentation at Microsoft’s BlueHat conference in October..

Blackwing Intelligence researchers reverse engineered both software and hardware, and discovered cryptographic implementation flaws in a custom TLS on the Synaptics sensor. ..

* Would you rely on Hello fingerprint in use as passkeys ?

3 users thanked author for this post.

NaNoNyMouse, Sueska, windbg

Reply | Quote

Replies

One of the researchers told us: “It’s my understanding from Microsoft that the issues were addressed by the vendors.

https://www.theregister.com/2023/11/22/windows_hello_fingerprint_bypass/?utm_source=daily&utm_medium=newsletter&utm_content=top-article#:~:text=One%20of%20the%20researchers%20told%20us%3A%20%22It%27s%20my%20understanding%20from%20Microsoft%20that%20the%20issues%20were%20addressed%20by%20the%20vendors.

 

Alex5723 wrote:

Would you rely on Hello fingerprint in use as passkeys ?

Bitlocker protects against this attack (if the computer is switched off):

As to what happens if the stolen machine is powered off completely, and has a BIOS password, full-disk encryption, or some other pre-boot authentication, exploitation isn’t as straight forward or perhaps even possible:

https://www.theregister.com/2023/11/22/windows_hello_fingerprint_bypass/?utm_source=daily&utm_medium=newsletter&utm_content=top-article#:~:text=As%20to%20what%20happens%20if%20the%20stolen%20machine%20is%20powered%20off%20completely%2C%20and%20has%20a%20BIOS%20password%2C%20full%2Ddisk%20encryption%2C%20or%20some%20other%20pre%2Dboot%20authentication%2C%20exploitation%20isn%27t%20as%20straight%20forward%20or%20perhaps%20even%20possible%3A

1 user thanked author for this post.

Alex5723

Reply | Quote

b wrote:

“It’s my understanding from Microsoft that the issues were addressed by the vendors.

He would wish it to be true.

I use Lenovo laptops since the first XP. They never release firmware for PCs older than 2-3 years.

I use Lenovo Y530 purchased on Aug. 2018. Last BIOS/Firmware update Mar. 2021

Reply | Quote

But that one was only 18 months old?

Reply | Quote

b wrote:

But that one was only 18 months old?

Hello fingerprint system is 18 months old ?

Reply | Quote