Windows Hello Fingerprint Vulnerabilities Exposed

Recently, a team of cybersecurity experts hired by Microsoft demonstrated how many fingerprint scanners used to protect Windows PCs can be hacked to allow anyone entry. What challenges do authentication systems face in modern computing, what did the researchers demonstrate, and what does this mean going forward?

What challenges do authentication systems face in modern computing?

Ever since the first computers were designed, engineers have had to develop all kinds of protection systems with the purpose of either protecting the computer from abuse or protecting the contents held by the computer. 

For example, early computers used in large organisations would have access to all kinds of sensitive data, including employee data, cash flow, and IP, all of which criminals can exploit for personal gain. Such computers would also be open to other forms of abuse, including processing power, hiding one's location, and causing havoc for the organisation. 

But every time computers underwent some kind of technological transformation, so did cyberattacks, becoming ever more complex and ingenious. For example, early attacks would involve hackers guessing passwords (which would often be written down, use a few characters, and be trivial to guess), but as security systems became more advanced, hackers had to turn to social engineering, phishing, and even reverse engineering of hardware.

As such, the field of cybersecurity is somewhat of a cat-and-mouse game, with hackers finding exploits and cybersecurity experts developing fixes all while trying to identify exploits themselves (this relationship between hackers and cybersecurity personnel has led to numerous conspiracy theories, including the idea that antivirus companies were themselves producing viruses).

Moving towards modern times and trying to remember long, complex passwords has become somewhat of a hindrance. Considering that many devices are now portable and that technology has become seriously advanced, engineers are turning to biometrics for security as these are very difficult to replicate and extremely convenient to use.

However, integrating biometrics comes with its own range of issues, with some worried about loss of privacy, while others are concerned that biometrics can be used to eliminate consent in devices. In the case of law enforcement, there is no legal obligation to surrender the PIN code to a device, but there is nothing to stop a police officer from forcing a user’s finger onto a device or pointing the device's camera at the user's face to unlock it. 

Finally, in some cases, researchers have managed to bypass biometric systems with the use of printed faces, IR cameras, and even lifted fingerprints. Thus, while biometrics offers a decent level of security and convenience, nothing can beat an old-fashioned complex password consisting of mixed numbers, letters, and symbols that are purely random.

Researchers bypass fingerprint scanners in Windows PCs

In an attempt to see how secure fingerprint scanners are in Windows devices, Microsoft recently instructed a team of cybersecurity experts to try to bypass the fingerprint scanner in a number of devices. After a short period of time, the researchers from Blackwing Intelligence published their findings, whereby they were able to work around numerous fingerprint scanners commonly found in most Windows systems.

To bypass fingerprint authentication, the researchers turned to the fingerprint chip itself as opposed to the operating system, as Windows-based systems utilise “match-on-chip” instead of reading raw fingerprint data and then determining authentication in software. What this essentially means is that fingerprint chips integrate their own processor and memory along with a list of authenticated fingerprints so that if a match is found, an authentication message is sent to the operating system.

Now, when used with Windows, the fingerprint sensor implements Secure Device Connection Protocol (SDCP), which makes it virtually impossible to hack the chip. However, when used with Linux, this protocol is not used, and thus, with the use of a Raspberry Pi and a few other external components, the researchers were able to access the fingerprint chip and upload their own fingerprint entries. Once Windows reboots, it reads the new fingerprints as being valid.

In the case of other fingerprint devices, the researchers noted that while SDCP was supported, they were not used in favour of custom TLS implementations, which the team were able to exploit. Another fingerprint sensor was found to operate over USB with commands being sent in cleartext. Thus, the researchers merely needed to create a USB clone that can send its own commands, appearing as a valid USB fingerprint device.

The Intricacies of Match on Chip (MoC) Technology

The recent findings by cybersecurity experts shed light on the intricacies of Match on Chip (MoC) technology used in fingerprint scanners. MoC technology, designed to enhance security, integrates a microprocessor and storage within the chip itself. This design ensures that fingerprint matching is performed securely within the chip, with a database of 'fingerprint templates' stored on-chip. The primary advantage of this approach is the containment of biometric data within the chip, mitigating the risk of external exfiltration, even in the event of a host compromise.

However, this research has highlighted a critical vulnerability in MoC technology. While it effectively prevents replaying stored fingerprint data for matching, it does not safeguard against a malicious sensor spoofing legitimate sensor communication with the host. This loophole allows for false authentication claims, undermining the very security MoC technology aims to uphold. Moreover, the possibility of replaying previously observed traffic between the host and sensor remains a significant concern.

The implications of these vulnerabilities are profound, particularly in the context of personal data security and privacy. As biometric authentication becomes increasingly commonplace, addressing these security gaps is paramount to maintaining user trust and the integrity of biometric security systems.

Rethinking Security Protocols in Biometric Systems

The revelations from the recent cybersecurity research necessitate a reevaluation of security protocols in biometric systems. The Secure Device Connection Protocol (SDCP), while robust in its design, is not immune to exploitation, especially when alternative operating systems like Linux are used. This discrepancy in security measures across different platforms highlights the need for a more unified and comprehensive approach to biometric security.

Furthermore, the exploitation of custom TLS implementations and cleartext USB communications in some fingerprint devices points to a broader issue in the industry. Manufacturers often opt for custom security solutions, which, while tailored to specific needs, can overlook critical vulnerabilities. This practice not only jeopardizes the security of the devices but also exposes users to potential data breaches.

In light of these findings, there is an urgent need for industry-wide standards and protocols that ensure a high level of security across all devices and platforms. Such measures would not only enhance the security of biometric systems but also reinforce user confidence in these technologies.

What does this mean going forward?

Despite Windows incorporating numerous security features, a number of manufacturers have decided to take matters into their own hands when it comes to hardware implementation. As such, many systems currently in use are vulnerable to exploits that could easily see their security compromised.

However, all of the aforementioned attacks require physical access to the device, thus indicating that only physically stolen devices are at risk. But considering that devices are stolen on a daily basis, it is possible that hackers could learn these techniques in a very short period of time and get access to personal data held on devices. 

Going forward, it is critical that engineers designing such products avoid the use of custom implementations of security protocols, avoid cleartext at all costs, and utilise security hardware that has been provided by manufacturers.