How reliable is biometric security on laptops?

Researchers used a hardware hack to bypass Windows Hello biometric authentication on three different devices. Can you trust this login method?

Can you trust Windows Hello biometric (fingerprint) authentication

Due to mass password leaks, user forgetfulness, and other problematic areas of modern information security, alternative ways of logging in to systems and corporate software are gaining ground. Besides the familiar authenticator apps and various contactless cards and USB tokens, fingerprint-based biometric authentication is a popular choice — especially since laptop keyboards these days often come with built-in scanners.

This method does seem rather reliable at first glance; however, a recent report by Blackwing Intelligence casts doubt upon this assertion. The authors managed to hack the biometric authentication system and log in to Windows using Windows Hello on Dell Inspiron 15 and Lenovo ThinkPad T14 laptops, as well as using the Microsoft Surface Pro Type Cover with Fingerprint ID keyboard for Surface Pro 8 and Surface Pro X tablets. Let’s have a look at their findings to see whether you should update your cyberdefense strategy.

Anatomy of the hack

First of all, we must note that this was a hardware hack. The researchers had to partially disassemble all three devices, disconnect the sensors from the internal USB bus, and connect them to external USB ports through a Raspberry PI 4 device that carried out a man-in-the-middle attack. The attack exploits the fact that all chips certified for Windows Hello must store the fingerprint database independently, in the on-chip memory. No fingerprints are ever transmitted to the computer itself — only cryptographically signed verdicts such as “User X successfully passed verification”. In addition, the protocol and the chips themselves support storing multiple fingerprints for different users.

The researchers were able to perform the spoofing, although attacks varied for different laptop models. They uploaded onto the chip additional fingerprints, supposedly for a new user, but were able to modify the data exchange with the computer so that information about the successful verification of the new user would be associated with the ID of the old one.

The main reason the spoofing worked was that all verified devices deviate to some degree from the Secure Device Connection Protocol (SDCP), which Microsoft developed specifically to head off such attacks. The protocol takes account of many common attack scenarios — from data spoofing to replaying a data exchange between the operating system and the chip when the user is not at the computer. Hacking the implementation of the security system on a Dell (Goodix fingerprint scanner) proved possible due to the fact that the Linux driver doesn’t support SDCP, the chip stores two separate databases for Windows and Linux, and information about the choice of database is transmitted without encryption. Lenovo (Synaptics chip) uses its own encryption instead of SDCP, and the authors managed to figure out the key generation mechanism and decrypt the exchange protocol. Rather jaw-droppingly, the Microsoft keyboard (ELAN chip) doesn’t use SDCP at all, and the standard Microsoft encryption is simply absent.

Main takeaways

Hardware hacks are difficult to prevent, yet equally if not more difficult to carry out. This case isn’t about simply inserting a USB flash drive into a computer for a minute; skill and care are required to assemble and disassemble the target laptop, and throughout the period of unauthorized access the modifications to the computer are obvious. In other words, the attack cannot be carried out unnoticed, and it’s not possible to return the device to the rightful user before the hack is complete and the machine is restored to its original form. As such, primarily at risk are the computers of company employees with high privileges or access to valuable information, and also of those who often work remotely.

To mitigate the risk to these user groups:

  • Don’t make biometrics the only authentication factor. Complement it with a password, authenticator app, or USB token. If necessary, you can combine these authentication factors in different ways. A user-friendly policy might require a password and biometrics at the start of work (after waking up from sleep mode or initial booting), and then only biometrics during the working day;
  • Use external biometric scanners that have undergone an in-depth security audit;
  • Implement physical security measures to prevent laptops from being opened or removed from designated locations;
  • Combine all of the above with full-disk encryption and the latest versions of UEFI with secure boot functions activated.

Lastly, remember that, although biometric scanners aren’t perfect, hacking them is far more difficult than extracting passwords from employees. So even if biometrics aren’t not the optimal solution for your company, there’s no reason to restrict yourself to just passwords.