Researchers bypass fingerprint-based Microsoft’s Windows Hello verification system: Report – Times of India
Microsoft’s Offensive Research and Security Engineering (MORSE) asked the cybersecurity company to evaluate the security of its fingerprint sensors. In October, the researchers provided their findings in a presentation at the tech giant’s BlueHat conference. Fingerprint sensors are now widely used by Windows laptop users. Microsoft has also pushed Windows Hello for a passwordless future.
A few years ago, Microsoft revealed that nearly 85% of consumers were using Windows Hello to sign into Windows 10 devices instead of using a password. It is important to note that Microsoft also counts a simple PIN as Windows Hello.
Vulnerabilities in Windows Hello authentication system
The security team identified popular fingerprint sensors from Goodix, Synaptics and ELAN as targets for the research. In a blog post, the company explained how a USB device can be built to perform a man-in-the-middle (MITM) attack. Such an attack could provide access to a stolen laptop, or even an “evil maid” attack on an unattended device.
Laptop models including Dell Inspiron 15, Lenovo ThinkPad T14 and Microsoft Surface Pro X
were affected by the fingerprint reader attacks. This allowed the researchers to bypass the Windows Hello protection as long as the fingerprint authentication had been set up on a device earlier.
The research team reverse-engineered both software and hardware and discovered cryptographic implementation flaws in a custom TLS on the Synaptics sensor. The complicated process to bypass Windows Hello also involved decoding and reimplementing proprietary protocols.
This isn’t the first time that Windows Hello biometrics-based authentication has been bypassed. In 2021, the company was forced to fix a Windows Hello authentication bypass vulnerability after a proof-of-concept involving capturing an infrared image of a victim to spoof Windows Hello’s facial recognition feature surfaced.
function loadGtagEvents(isGoogleCampaignActive) { if (!isGoogleCampaignActive) { return; } var id = document.getElementById('toi-plus-google-campaign'); if (id) { return; } (function(f, b, e, v, n, t, s) { t = b.createElement(e); t.async = !0; t.defer = !0; t.src = v; t.id = 'toi-plus-google-campaign'; s = b.getElementsByTagName(e)[0]; s.parentNode.insertBefore(t, s); })(f, b, e, 'https://www.googletagmanager.com/gtag/js?id=AW-877820074', n, t, s); };
function loadSurvicateJs(allowedSurvicateSections = []){ const section = window.location.pathname.split('/')[1] const isHomePageAllowed = window.location.pathname === '/' && allowedSurvicateSections.includes('homepage')
if(allowedSurvicateSections.includes(section) || isHomePageAllowed){ (function(w) { var s = document.createElement('script'); s.src="https://survey.survicate.com/workspaces/0be6ae9845d14a7c8ff08a7a00bd9b21/web_surveys.js"; s.async = true; var e = document.getElementsByTagName('script')[0]; e.parentNode.insertBefore(s, e); })(window); }
}
window.TimesApps = window.TimesApps || {}; var TimesApps = window.TimesApps; TimesApps.toiPlusEvents = function(config) { var isConfigAvailable = "toiplus_site_settings" in f && "isFBCampaignActive" in f.toiplus_site_settings && "isGoogleCampaignActive" in f.toiplus_site_settings; var isPrimeUser = window.isPrime; if (isConfigAvailable && !isPrimeUser) { loadGtagEvents(f.toiplus_site_settings.isGoogleCampaignActive); loadFBEvents(f.toiplus_site_settings.isFBCampaignActive); loadSurvicateJs(f.toiplus_site_settings.allowedSurvicateSections); } else { var JarvisUrl="https://jarvis.indiatimes.com/v1/feeds/toi_plus/site_settings/643526e21443833f0c454615?db_env=published"; window.getFromClient(JarvisUrl, function(config){ if (config) { loadGtagEvents(config?.isGoogleCampaignActive); loadFBEvents(config?.isFBCampaignActive); loadSurvicateJs(config?.allowedSurvicateSections); } }) } }; })( window, document, 'script', );
For all the latest Technology News Click Here
For the latest news and updates, follow us on Google News.
