Researchers able to bypass Windows Hello fingerprint authentication on Dell, Lenovo, and Surface laptops

Security researchers at Blackwing Intelligence have discovered multiple vulnerabilities in popular fingerprint sensors, allowing them to bypass Windows Hello fingerprint authentication on Dell, Lenovo, and even Microsoft laptops.

What is Windows Hello?
Windows Hello offers biometric authentication for Windows devices using fingerprints, faces, or irises.

The researchers built a USB device that could perform a man-in-the-middle (MitM) attack, providing access to a stolen laptop or even allowing an attacker to bypass Windows Hello protection on an unattended device.

In easier words, the researchers found that the vulnerabilities in the fingerprint sensors allow hackers to intercept and manipulate data that is being sent between the fingerprint sensor and the Windows Hello software. This means that hackers could spoof your fingerprint and gain access to your computer without you even knowing it.

This is not the first time Windows Hello biometrics-based authentication has been defeated. In 2021, Microsoft had to fix a Windows Hello authentication bypass vulnerability that involved capturing an infrared image of a victim to spoof Windows Hello’s facial recognition feature.

The researchers recommend that OEMs ensure Secure Device Connection Protocol (SDCP) is enabled on fingerprint sensors and that a qualified expert audits the fingerprint sensor implementation.

It means that companies that make these devices, aka original equipment manufacturers (OEMs), should ensure that a special security feature called Secure Device Connection Protocol (SDCP) is turned on for fingerprint sensors. They should also ensure that an expert checks the fingerprint sensor to ensure it is safe.

What users should do is they should update their Windows Hello software and avoid using fingerprints on public computers to protect against this vulnerability.