November 23, 2023 · 1 min read
New vulnerabilities discovered in Windows Hello

Two security researchers from Blackwing Intelligence presented findings at the BlueHat conference in October regarding vulnerabilities affecting the three major fingerprint sensors deployed on laptops. These flaws could potentially circumvent Microsoft's Windows Hello biometric authentication system.
The researchers examined sensors from Goodix, Synaptics, and Elan, integrated respectively into the Dell Inspiron 15, Lenovo ThinkPad T14, and Surface Pro X.
Microsoft had introduced the Secure Device Connection Protocol (SDCP) to verify fingerprint device integrity and protect communications between the fingerprint sensor and the host system. Despite that, the researchers successfully bypassed Windows Hello authentication across all three laptop models using man-in-the-middle attacks executed via a Raspberry Pi 4 running Linux.
Microsoft faces limitations in independently addressing these issues, since some of the vulnerabilities originate from device manufacturer implementations rather than Microsoft's software alone.
The research was conducted as part of a collaborative project with Microsoft's Offensive Research and Security Engineering (MORSE) team. A full presentation of the findings is available online.
