Multiple vulnerabilities have been discovered in popular fingerprint sensors used in laptops for Windows Hello fingerprint authentication. These vulnerabilities affect sensors from Goodix, Synaptics [1] [2] [3], and ELAN [1] [2], which are embedded in Dell Inspiron 15 [2], Lenovo ThinkPad T14 [1] [2] [3], and Microsoft Surface Pro X laptops [1] [2] [3].
Description
Security researchers have found that the communication between the sensors and the devices can be exploited, bypassing Windows Hello protection [1]. Specifically, the ELAN sensor is vulnerable to sensor spoofing and cleartext transmission of security identifiers [2], allowing any USB device to masquerade as the fingerprint sensor [2]. The Synaptics sensor has the Secure Device Connection Protocol (SDCP) turned off by default and relies on a flawed custom Transport Layer Security (TLS) stack [2], which can be exploited to bypass biometric authentication [2]. The Goodix sensor exploits a difference in enrollment operations between Windows and Linux systems [2].
The manufacturers [3], Goodix [1] [2] [3], Synaptics [1] [2] [3], and ELAN [1] [2], have released patches for their chips. However, it is important to note that similar vulnerabilities may exist in other chips and computers worldwide.
Conclusion
While these vulnerabilities pose a significant risk, it is worth noting that biometrics can still enhance security by allowing users to choose longer, more secure passwords and generate more secure encryption keys [3]. To mitigate these vulnerabilities [2], it is recommended that original equipment manufacturers enable SDCP and have the fingerprint sensor implementation audited by independent experts [2]. It is crucial for manufacturers to prioritize security and continue to address potential vulnerabilities in their products.
References
[1] https://www.theverge.com/2023/11/22/23972220/microsoft-windows-hello-fingerprint-authentication-bypass-security-vulnerability
[2] https://thehackernews.com/2023/11/new-flaws-in-fingerprint-sensors-let.html
[3] https://www.darkreading.com/vulnerabilities-threats/researchers-undermine-windows-hello-lenovo-dell-surface-pro-pcs
