Researchers have discovered vulnerabilities in several laptop makers’ implementations of Windows Hello, the biometric login feature built into Windows.

The researchers, who work at cybersecurity company Blackwing Intelligence, detailed their findings in a Tuesday blog post. They uncovered the vulnerabilities as part of a project carried out on behalf of Microsoft Corp.’s offensive research and security engineering team. The project analyzed three laptops from Microsoft, Lenovo Group Ltd. and Dell Technologies Inc.

Windows Hello is an authentication feature that first rolled out to Windows in 2015. It allows consumers to log into their machines with a fingerprint scanner or other biometric method instead of a password. Microsoft also offers an enterprise version of the feature, Windows Hello for Business, that many organizations use to secure employees’ work devices.

The feature can prevent hackers from signing into a computer to which they gain physical access. According to Blackwing Intelligence, the vulnerabilities its researchers have discovered make it possible to bypass Windows Hello on affected laptops. Hackers could use the vulnerabilities to exfiltrate data from a stolen computer or access the user’s applications. 

The flaws relate to a Microsoft technology called the Secure Device Connection Protocol, or SDCP for short. It allows a Windows computer to verify the security of a fingerprint sensor before it’s used to process user login requests. Many laptops rely on SDCP to power their Windows Hello implementations. 

When users attempt to log into a computer with a fingerprint scanner, the scanner generates a signal that Windows Hello uses to determine whether to accept or reject the request. SDCP includes mechanisms that prevent hackers from tampering with this signal. Additionally, the technology verifies that a Windows machine’s fingerprint scanner doesn’t contain malware and was built in accordance with Microsoft’s cybersecurity requirements.

“Microsoft did a good job designing Secure Device Connection Protocol (SDCP) to provide a secure channel between the host and biometric devices, but unfortunately device manufacturers seem to misunderstand some of the objectives,” Blackwing Intelligence researchers detailed in this week’s blog post. “Additionally, SDCP only covers a very narrow scope of a typical device’s operation, while most devices have a sizable attack surface exposed that is not covered by SDCP at all.”

The first laptop that the researchers evaluated during their analysis of Windows Hello was Microsoft’s own Surface X two-in-one machine. They determined that the laptop doesn’t have SDCP enabled. As a result, hackers can simply open the case, replace the built-in fingerprint sensor with a custom, malware-equipped device and use that device to log in.

Blackwing Intelligence built two such devices to test the vulnerability. The first was based on a Raspberry Pi, a miniature computer priced at $35. The company’s researchers later assembled an even smaller device based on an open-source computer design.

The second laptop that Blackwing Intelligence evaluated, the Lenovo ThinkPad T14s, also fails to enable SDCP. Instead of SDCP, the laptop relies on a custom implementation of the TLS encryption protocol to secure its built-in fingerprint sensor. The protocol is most commonly used to encrypt connections between browsers and websites. 

The researchers found that the ThinkPad T14s’ fingerprint sensor can be compromised if hackers obtain its TLC implementation’s encryption key. That key, they determined, can be extrapolated from the laptop’s product name and serial number. Both pieces of information are displayed on a sticker glued to the machine’s case.

The laptop that proved most challenging for Blackwing Intelligence to compromise is Dell’s Inspiron 15. Unlike the two other machines the researchers evaluated, it does implement SDCP. However, the implementation has a major flaw: It only works on Windows. 

The researchers determined that Inspiron 15’s SDCP feature can be bypassed by configuring the laptop to load Linux instead of Windows on boot. When the machine loads Linux, hackers can intercept the data that its fingerprint sensor generates when processing login requests. They can then manipulate this data to trick Windows Hello into accepting login requests that would otherwise be rejected. 

Image: Microsoft