Updated News Around the World

Researchers bypass fingerprint-based Microsoft’s Windows Hello verification system: Report – Times of India

Security researchers have discovered new vulnerabilities in Microsoft’s Windows Hello fingerprint authentication system. Researchers at cybersecurity firm Blackwing Intelligence have found that the authentication system can be bypassed on laptops from Dell, Lenovo and even Microsoft. Security experts have found multiple vulnerabilities in the top three fingerprint sensors that are embedded into laptops.This system is used widely by businesses to secure laptops with Windows Hello fingerprint authentication.
Microsoft’s Offensive Research and Security Engineering (MORSE) asked the cybersecurity company to evaluate the security of its fingerprint sensors. In October, the researchers provided their findings in a presentation at the tech giant’s BlueHat conference. Fingerprint sensors are now widely used by Windows laptop users. Microsoft has also pushed Windows Hello for a passwordless future.
A few years ago, Microsoft revealed that nearly 85% of consumers were using Windows Hello to sign into Windows 10 devices instead of using a password. It is important to note that Microsoft also counts a simple PIN as Windows Hello.
Vulnerabilities in Windows Hello authentication system
The security team identified popular fingerprint sensors from Goodix, Synaptics and ELAN as targets for the research. In a blog post, the company explained how a USB device can be built to perform a man-in-the-middle (MITM) attack. Such an attack could provide access to a stolen laptop, or even an “evil maid” attack on an unattended device.

Laptop models including Dell Inspiron 15, Lenovo ThinkPad T14 and Microsoft Surface Pro X

were affected by the fingerprint reader attacks. This allowed the researchers to bypass the Windows Hello protection as long as the fingerprint authentication had been set up on a device earlier.
The research team reverse-engineered both software and hardware and discovered cryptographic implementation flaws in a custom TLS on the Synaptics sensor. The complicated process to bypass Windows Hello also involved decoding and reimplementing proprietary protocols.
This isn’t the first time that Windows Hello biometrics-based authentication has been bypassed. In 2021, the company was forced to fix a Windows Hello authentication bypass vulnerability after a proof-of-concept involving capturing an infrared image of a victim to spoof Windows Hello’s facial recognition feature surfaced.

function loadGtagEvents(isGoogleCampaignActive) { if (!isGoogleCampaignActive) { return; } var id = document.getElementById('toi-plus-google-campaign'); if (id) { return; } (function(f, b, e, v, n, t, s) { t = b.createElement(e); t.async = !0; t.defer = !0; t.src = v; t.id = 'toi-plus-google-campaign'; s = b.getElementsByTagName(e)[0]; s.parentNode.insertBefore(t, s); })(f, b, e, 'https://www.googletagmanager.com/gtag/js?id=AW-877820074', n, t, s); };

function loadSurvicateJs(allowedSurvicateSections = []){ const section = window.location.pathname.split('/')[1] const isHomePageAllowed = window.location.pathname === '/' && allowedSurvicateSections.includes('homepage')

if(allowedSurvicateSections.includes(section) || isHomePageAllowed){ (function(w) { var s = document.createElement('script'); s.src="https://survey.survicate.com/workspaces/0be6ae9845d14a7c8ff08a7a00bd9b21/web_surveys.js"; s.async = true; var e = document.getElementsByTagName('script')[0]; e.parentNode.insertBefore(s, e); })(window); }

}

window.TimesApps = window.TimesApps || {}; var TimesApps = window.TimesApps; TimesApps.toiPlusEvents = function(config) { var isConfigAvailable = "toiplus_site_settings" in f && "isFBCampaignActive" in f.toiplus_site_settings && "isGoogleCampaignActive" in f.toiplus_site_settings; var isPrimeUser = window.isPrime; if (isConfigAvailable && !isPrimeUser) { loadGtagEvents(f.toiplus_site_settings.isGoogleCampaignActive); loadFBEvents(f.toiplus_site_settings.isFBCampaignActive); loadSurvicateJs(f.toiplus_site_settings.allowedSurvicateSections); } else { var JarvisUrl="https://jarvis.indiatimes.com/v1/feeds/toi_plus/site_settings/643526e21443833f0c454615?db_env=published"; window.getFromClient(JarvisUrl, function(config){ if (config) { loadGtagEvents(config?.isGoogleCampaignActive); loadFBEvents(config?.isFBCampaignActive); loadSurvicateJs(config?.allowedSurvicateSections); } }) } }; })( window, document, 'script', );

For all the latest Technology News Click Here 

 For the latest news and updates, follow us on Google News

Read original article here

Denial of responsibility! NewsUpdate is an automatic aggregator around the global media. All the content are available free on Internet. We have just arranged it in one platform for educational purpose only. In each content, the hyperlink to the primary source is specified. All trademarks belong to their rightful owners, all materials to their authors. If you are the owner of the content and do not want us to publish your materials on our website, please contact us by email – [email protected]. The content will be deleted within 24 hours.