Multiple vulnerabilities have been discovered in popular fingerprint sensors used in laptops for Windows Hello fingerprint authentication. These vulnerabilities affect sensors from Goodix, Synaptics [1] [2] [3], and ELAN [1] [2], which are embedded in Dell Inspiron 15 [2], Lenovo ThinkPad T14 [1] [2] [3], and Microsoft Surface Pro X laptops [1] [2] [3].


Security researchers have found that the communication between the sensors and the devices can be exploited, bypassing Windows Hello protection [1]. Specifically, the ELAN sensor is vulnerable to sensor spoofing and cleartext transmission of security identifiers [2], allowing any USB device to masquerade as the fingerprint sensor [2]. The Synaptics sensor has the Secure Device Connection Protocol (SDCP) turned off by default and relies on a flawed custom Transport Layer Security (TLS) stack [2], which can be exploited to bypass biometric authentication [2]. The Goodix sensor exploits a difference in enrollment operations between Windows and Linux systems [2].

The manufacturers [3], Goodix [1] [2] [3], Synaptics [1] [2] [3], and ELAN [1] [2], have released patches for their chips. However, it is important to note that similar vulnerabilities may exist in other chips and computers worldwide.


While these vulnerabilities pose a significant risk, it is worth noting that biometrics can still enhance security by allowing users to choose longer, more secure passwords and generate more secure encryption keys [3]. To mitigate these vulnerabilities [2], it is recommended that original equipment manufacturers enable SDCP and have the fingerprint sensor implementation audited by independent experts [2]. It is crucial for manufacturers to prioritize security and continue to address potential vulnerabilities in their products.