Windows Hello fingerprint technology is hacked


Security researchers have found a way to bypass popular Windows Hello fingerprint authentication technology, after discovering several vulnerabilities.

Microsoft’s MORSE (Offensive Research and Security Engineering) commissioned Blackwing Intelligence to evaluate the security of the three major fingerprint sensors built into laptops.

The firm studied a Dell Inspiron 15, a Lenovo ThinkPad T14 and a Microsoft Surface Pro X, and more specifically fingerprint sensors manufactured by ELAN, Synaptics and Goodix.

The Blackwing team then conducted “extensive reverse engineering” of the software and hardware, during which they discovered cryptographic implementation flaws in custom TLS, and decrypted and reimplemented proprietary protocols.

Learn more about Windows Hello: #BHUSA: Passwordless Windows Hello bypass revealed

All three sensors featured Match-on-Chip (MoC) technology, designed to provide additional security by ensuring fingerprint matching is done on the processor. Microsoft created the Secure Device Connection Protocol (SDCP) as an additional layer of protection. The protocol aims to prevent a compromised operating system from allowing the use of user keys when the user is not present.

However, the researchers managed to completely bypass authentication on all three laptops using man-in-the-middle attacks carried out with a Raspberry Pi 4.

“Microsoft has done a good job designing SDCP to provide a secure channel between the host and biometric devices, but unfortunately device manufacturers seem to be misunderstanding some of the goals.” the researchers concluded.

“Additionally, SDCP only covers a very narrow scope of a typical device’s operation, while most devices have a large attack surface that is not covered at all by SDCP. Finally, we found that SDCP was not even enabled on two out of three devices we targeted.

Blackwing Intelligence urged manufacturers to ensure that SDCP is enabled on their devices and to contact a third-party auditor to verify that the implementation is correct.

Image credit: Melnikov Dmitriy /

Leave a comment