Since Windows 10 introduced Windows Hello back in 2015, most Windows laptops and tablets have shipped with some kind of biometric authentication device installed. Sometimes that means a face- or iris-scanning infrared webcam; sometimes it means a fingerprint sensor mounted on the power button or elsewhere on the device.
While these authentication methods are convenient, they aren’t totally immune to security exploits. In 2021, researchers were able to fool some Windows Hello IR webcams with infrared images of users’ faces. And last week, researchers at Blackwing Intelligence published an extensive document showing how they had managed to work around some of the most popular fingerprint sensors used in Windows PCs.
Security researchers Jesse D’Aguanno and Timo Teräs write that, with varying degrees of reverse-engineering and using some external hardware, they were able to fool the Goodix fingerprint sensor in a Dell Inspiron 15, the Synaptic sensor in a Lenovo ThinkPad T14, and the ELAN sensor in one of Microsoft’s own Surface Pro Type Covers. These are just three laptop models from the wide universe of PCs, but one of these three companies usually does make the fingerprint sensor in every laptop we’ve reviewed in the last few years. It’s likely that most Windows PCs with fingerprint readers will be vulnerable to similar exploits.
Blackwing’s post on the vulnerability is also a good overview of exactly how fingerprint sensors in a modern PC work. Most Windows Hello-compatible fingerprint readers use “match on chip” sensors, meaning that the sensor has its own processors and storage that perform all fingerprint scanning and matching independently without relying on the host PC’s hardware. This ensures that fingerprint data can’t be accessed or extracted if the host PC is compromised. If you’re familiar with Apple’s terminology, this is basically the way its Secure Enclave is set up.
Communication between the fingerprint sensor and the rest of the system is supposed to be handled by the Secure Device Connection Protocol (SCDP). This is a Microsoft-developed protocol that is meant to verify that fingerprint sensors are trustworthy and uncompromised, and to encrypt traffic between the fingerprint sensor and the rest of the PC.
Each fingerprint sensor was ultimately defeated by a different weakness. The Dell laptop’s Goodix fingerprint sensor implemented SCDP properly in Windows but used no such protections in Linux. Connecting the fingerprint sensor to a Raspberry Pi 4, the team was able to exploit the Linux support plus “poor code quality” to enroll a new fingerprint that would allow entry into a Windows account.
As for the Synaptic and ELAN fingerprint readers used by Lenovo and Microsoft (respectively), the main issue is that both sensors supported SCDP but that it wasn’t actually enabled. Synaptic’s touchpad used a custom TLS implementation for communication that the Blackwing team was able to exploit, while the Surface fingerprint reader used cleartext communication over USB for communication.
“In fact, any USB device can claim to be the ELAN sensor (by spoofing its VID/PID) and simply claim that an authorized user is logging in,” wrote D’Aguanno and Teräs.
Though all of these exploits ultimately require physical access to a device and an attacker who is determined to break into your specific laptop, the wide variety of possible exploits means that there’s no single fix that can address all of these issues, even if laptop manufacturers are motivated to implement them.
Blackwing’s first recommendation is that all Windows Hello fingerprint sensors should actually enable and use SCDP, the protocol Microsoft developed to try to prevent exactly this kind of thing from happening. SCDP obviously isn’t bulletproof, but the one fingerprint sensor that used SCDP did take more time and effort to break into. PC makers should also “have a qualified expert third party audit [their] implementation” to improve code quality and security.
To Microsoft’s credit, these findings are being published mainly because Microsoft’s Offensive Research & Security Engineering (MORSE) team invited Blackwing Intelligence to try to break the fingerprint sensors in the first place. Microsoft has a lot of control over the things that PC OEMs need to build into their Windows systems, and the company may decide to require the use of SCDP or other features in PCs going forward.
Beyond these specific exploits, the Blackwing team speculates that there may be further vulnerabilities in each fingerprint sensor’s firmware and debug interfaces that can allow for other attacks, and the readers could be vulnerable to other “direct hardware attacks” as well. The team plans to investigate these possibilities going forward, and also intends to look into fingerprint readers in Linux, Android, and Apple devices.