Major vulnerabilities in laptop fingerprint sensors found! Hackers can even bypass Microsoft Hello
Researchers have found critical vulnerabilities in fingerprint sensor-enabled laptops that may allow hackers to break in. These vulnerabilities are severe enough that using these, the researchers were able to completely bypass Microsoft Hello authentication. The new finding is concerning as many Windows laptop users use this added layer of protection to secure their devices, and hackers may take advantage of this to steal sensitive personal and financial information from users. During the study, the team was able to crack three different laptops — Dell Inspiron 15, Lenovo ThinkPad T14, and Microsoft Surface Pro — using these Microsoft Hello vulnerabilities.
Microsoft’s Offensive Research and Security Engineering (MORSE) approached Blackwing Intelligence to conduct a study to evaluate the security of the top three fingerprint sensors embedded in laptops. These fingerprint sensors are also commonly used for Microsoft Hello authentication.
Research finds big vulnerabilities in laptops with fingerprint sensors
The research was conducted for a period of three months, during which, all the three abovementioned laptops were broken into despite the presence of Microsoft Hello protection. Interestingly, the study reveals that all of the fingerprint sensors tested upon were “match on chip” or MoC type sensors instead of match on host type sensors. The former is generally considered to be more secure than the latter.
Dell Inspiron 15 emerged as a particularly vulnerable target during the testing period. It was found that the device displayed a number of concerns including poor coding quality and clear text communication.
In conclusion, Blackwing Intelligence found, “Microsoft did a good job designing SDCP to provide a secure channel between the host and biometric devices, but unfortunately device manufacturers seem to misunderstand some of the objectives. Additionally, SDCP only covers a very narrow scope of a typical device’s operation, while most devices have a sizable attack surface exposed that is not covered by SDCP at all”.
It also added recommendations for vendors such as making sure that SDCP is enabled and conducting a qualified expert 3rd party audit.
Researchers have found critical vulnerabilities in fingerprint sensor-enabled laptops that may allow hackers to break in. These vulnerabilities are severe enough that using these, the researchers were able to completely bypass Microsoft Hello authentication. The new finding is concerning as many Windows laptop users use this added layer of protection to secure their devices, and hackers may take advantage of this to steal sensitive personal and financial information from users. During the study, the team was able to crack three different laptops — Dell Inspiron 15, Lenovo ThinkPad T14, and Microsoft Surface Pro — using these Microsoft Hello vulnerabilities.
Microsoft’s Offensive Research and Security Engineering (MORSE) approached Blackwing Intelligence to conduct a study to evaluate the security of the top three fingerprint sensors embedded in laptops. These fingerprint sensors are also commonly used for Microsoft Hello authentication.
Research finds big vulnerabilities in laptops with fingerprint sensors
The research was conducted for a period of three months, during which, all the three abovementioned laptops were broken into despite the presence of Microsoft Hello protection. Interestingly, the study reveals that all of the fingerprint sensors tested upon were “match on chip” or MoC type sensors instead of match on host type sensors. The former is generally considered to be more secure than the latter.
Dell Inspiron 15 emerged as a particularly vulnerable target during the testing period. It was found that the device displayed a number of concerns including poor coding quality and clear text communication.
In conclusion, Blackwing Intelligence found, “Microsoft did a good job designing SDCP to provide a secure channel between the host and biometric devices, but unfortunately device manufacturers seem to misunderstand some of the objectives. Additionally, SDCP only covers a very narrow scope of a typical device’s operation, while most devices have a sizable attack surface exposed that is not covered by SDCP at all”.
It also added recommendations for vendors such as making sure that SDCP is enabled and conducting a qualified expert 3rd party audit.
Denial of responsibility! Techno Blender is an automatic aggregator of the all world’s media. In each content, the hyperlink to the primary source is specified. All trademarks belong to their rightful owners, all materials to their authors. If you are the owner of the content and do not want us to publish your materials, please contact us by email – [email protected]. The content will be deleted within 24 hours.