Microsoft Hello authentication can be bypassed by hackers due to vulnerabilities present in fingerprint sensors commonly used in laptops, a study by Blackwing Intelligence have found. (Reuters)

Bypass Microsoft Hello? Major Vulnerabilities in Laptop Fingerprint Sensors Uncovered!

A team of researchers has discovered significant flaws in laptops equipped with fingerprint sensors, which could potentially enable hackers to gain unauthorized access. These vulnerabilities are so serious that the researchers were able to completely bypass the Microsoft Hello authentication system. This discovery is particularly alarming as many Windows laptop users rely on this additional security measure to safeguard their devices, leaving them vulnerable to potential theft of personal and financial data. Throughout their study, the team successfully exploited these Microsoft Hello vulnerabilities to crack three different laptop models: Dell Inspiron 15, Lenovo ThinkPad T14, and Microsoft Surface Pro.

Microsoft’s Offensive Research and Security Engineering (MORSE) contacted Blackwing Intelligence to conduct a study to evaluate the security of the top three fingerprint scanners embedded in laptops. These fingerprint sensors are also commonly used for Microsoft Hello authentication.

Research finds major vulnerabilities in laptops with fingerprint sensors

The investigation lasted three months, during which all three laptops mentioned above were hacked despite Microsoft Hello protection. Interestingly, the study reveals that all of the fingerprint sensors tested were match on chip or MoC type sensors rather than matching host type sensors. The former is generally considered safer than the latter.

The Dell Inspiron 15 emerged as a particularly vulnerable target during the testing period. It was found that the device had several concerns such as poor encoding quality and clear text messaging.

In summary, Blackwing Intelligence stated: “Microsoft did a good job designing SDCP to provide a secure channel between the host and biometric devices, but unfortunately device manufacturers seem to misunderstand some of the goals. Furthermore, SDCP only covers a very narrow area of what a typical device can do, while most devices have been exposed to considerable attack surface not covered by SDCP at all.

It also added recommendations for suppliers, such as ensuring SDCP is in place and having a third-party audit by a qualified expert.