Shulou(Shulou.com)11/24 Report--

Thanks to CTOnews.com netizens and soft media users for 1520111 clue delivery! CTOnews.com, Nov. 22, Microsoft's Windows Hello fingerprint authentication has been cracked, affecting Dell, Lenovo and Microsoft laptops. Security researchers at Blackwing Intelligence have found multiple vulnerabilities in three of the most popular fingerprint sensors, which are widely used by companies to protect laptops with Windows Hello fingerprint authentication.

Microsoft's attack and Defense Research and Security Engineering (MORSE) team invited Blackwing Intelligence to evaluate the security of fingerprint sensors, and the researchers presented their findings at the Microsoft BlueHat conference in October. The team selected three popular fingerprint sensors from Goodix, Synaptics and ELAN as their research subjects, and recently described in detail the process of building a USB device that can perform man-in-the-middle attack (MitM) in a recent blog post. Such attacks can provide access to stolen laptops and even conduct "Evil Maid" attacks on unattended devices.

Dell Inspiron 15, Lenovo ThinkPad T14 and Microsoft Surface Pro X are all victims of fingerprint attacks, and researchers can bypass Windows Hello protection as long as someone has previously used fingerprint authentication on the device. Blackwing Intelligence researchers reverse engineered the software and hardware and found a flaw in the encryption implementation of a custom TLS on the Synaptics sensor. The complex process of bypassing Windows Hello also involves decoding and reimplementing proprietary protocols.

Fingerprint sensors are now widely used in Windows laptops, thanks to Microsoft's push for the Windows Hello and password-free future. Microsoft revealed three years ago that nearly 85% of consumers use Windows Hello to log in to Windows 10 devices instead of using passwords (Microsoft counts the use of simple PIN codes as Windows Hello).

CTOnews.com notes that this is not the first time Windows Hello's biometric-based authentication has been defeated. Microsoft was forced to fix a Windows Hello authentication bypass vulnerability in 2021 that deceived Windows Hello's facial recognition function by taking infrared images of victims.

It is not clear whether Microsoft will be able to fix these latest vulnerabilities alone.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.