The fingerprint scanning system was initially only used to unlock the device. But through the implementation of FIDO, it can now be used for Google PassKey authentication and also fill in personal information on websites. For users of the Windows Hello fingerprint scanner, the system thought to be safe has been found to have several vulnerabilities.
Security research firm Blackwing Intelligence was itself asked by Microsoft Offensive Research and Security Engineering (MORSE) to find any vulnerabilities in the three fingerprint scanner systems manufactured by Goodix, Synaptics, and ELAN used for Windows Hello. Vulnerabilities in the Match on Chip (MoC) sensor and errors in not using the Secure Device Connection Protocol (SDCP) cause Windows Hello to be bypassed.
In the first vulnerability, a Man-in-the-middle (MitM) attack was performed allowing Blackwing's fingerprint scanner to bypass the fingerprint scanner on the device. This allows non-original owner fingerprint scans to be used with Windows Hello. Next they found that on the two laptops tested, the SDCP system that provides a better security layer was not used by the manufacturer.
The three laptops used by Blackwing are Dell Inspiron 15, Lenovo ThinkPad T14 and Surface with Microsoft Surface Pro Type Cover equipped with a fingerprint scanner. The discovery of this vulnerability was already presented by Blackwing during the Microsoft Bluehat event that took place last month.
After conducting a study on the Windows Hello system, Blackwing will now conduct a similar study on the fingerprint scanning system on Linux, Apple and Android devices.