Microsoft misses own protocol, laptop fingerprint biometrics defeated in test
Microsoft’s Hello biometric authentication software has proven surprisingly fallible in a security test, requested by the software company, of three vendors’ laptops.
The challenge involved Microsoft’s Surface Pro Type Cover with an Elan fingerprint sensor, Lenovo’s ThinkPad T14s with a Synaptics sensor and Dell’s Inspiron 15 loaded with a Goodix. Each chip performs the biometric match in-sensor.
Blackwing Intelligence performed three months of testing that “resulted in three 100% reliable bypasses” of Hello authentication. Its researchers confessed surprise that of the three setups the Surface Pro fell easiest.
They have documented what they found in detail and say they will go even deeper with a follow-up report.
At the risk of oversimplification, it seems that the common element tied to each biometric hack is Microsoft’s Secure Device Connection Protocol. The protocol is standards and secure-communication rules.
In all three cases, the protocol was insufficiently enabled, or the system was architected in a way that it was sidelined. It was, in fact, not implemented in the Surface Pro – Microsoft’s Surface Pro.
Closing this hole is easy for vendors. Blackwing says they just have to enable the protocol. And for good measure, the researchers say, get an independent audit of the software implementation before a white hat firm starts digging around.