Advisory ID: NCC-CSIRT-241123-041
Summary: A study led by Blackwing Intelligence researchers Jesse D'Aguanno and Timo Teräs, supported by Microsoft's Offensive Research and Security Engineering group, indicates a potential vulnerability in Windows Hello's fingerprint authentication. If successfully exploited, this could enable a hacker to log in as the device owner, provided they can steal or have access to the device without supervision.
Threat Type(s): Vulnerability, System Unlocking
Impact/Vulnerability: CRITICAL/HIGH
Product(s): Laptop Computers
Platform(s): Goodix, Synaptics, and ELAN fingerprint sensors
Version(s): Dell Inspiron 15, Lenovo ThinkPad T14, Microsoft Surface Pro Type Cover with Fingerprint ID (for Surface Pro 8 / X)
Description: According to the researchers, the security flaw exists in the Windows Hello fingerprint feature. Windows Hello, a biometric authentication interface in Windows, allows users to log in through facial recognition or fingerprint scanning. For fingerprint authentication, users set up their fingerprints on compatible devices. Windows Hello uses a secure enclave to store and verify the fingerprint data during login, providing enhanced security compared to traditional password-based methods.
In the Windows Hello system, fingerprints are stored in the sensor chipset. During setup, the operating system (OS) generates an ID linked to the user's fingerprint by the sensor chip. This ID is then associated with the user's account. In the login process, the sensor reads the fingerprint, and if it matches a known print, the chip sends the corresponding ID to the OS for account access. Despite cryptographic measures, vulnerabilities in this system make devices susceptible to unlocking if a hacker gains physical access to the device to connect certain electronics.
The researchers outline the specific steps for exploiting the three affected systems as follows:
- Dell Inspiron 15:If hackers can boot the laptop into Linux, they can use the sensor's Linux driver to enumerate the ID numbers associated with known fingerprints. The attacker can then store their own fingerprint with an ID identical to the Windows user they want to impersonate. By using a man-in-the-middle device during Windows boot, the chip is directed to use the Linux database for fingerprints, allowing the attacker to log in as the Windows user.
- Lenovo ThinkPad T14:Similar to the Dell Inspiron 15, the ThinkPad attack involves using Linux to add a fingerprint with an ID associated with a Windows user. TLS is used to secure the connection, but this can be undermined to add a new fingerprint and log in as the targeted Windows user.
- Microsoft Surface Pro 8 / X Type Cover with Fingerprint ID:This is the most dangerous of all. In this case, there is no security between the chip and OS. Any device that can mimic the chip can send a message to Windows, allowing an attacker to log in without presenting a fingerprint.
Consequences: Laptop hardware may be physically insecure and allow fingerprint authentication to be bypassed if the equipment falls into the wrong hands.
Solution:
- Use a password instead of a fingerprint for BIOS boot authentication.
- Users of the impacted computers should ensure they have the latest updates installed, as vendors have addressed the identified issues.
References:
https://blackwinghq.com/blog/posts/a-touch-of-pwn-part-i/
https://www.theregister.com/2023/11/22/windows_hello_fingerprint_bypass/