Researchers have found a way to bypass the fingerprint-based authentication system of Windows Hello, Microsoft’s biometric security feature for Windows 10 devices. The attack requires physical access to the target device, a custom USB camera, and infrared images of the victim’s fingerprints.
Windows Hello is a biometric security feature that allows users to unlock their Windows 10 devices using their face, iris, or fingerprint. Windows Hello uses a combination of hardware and software to verify the user’s identity and prevent unauthorized access. Windows Hello facial recognition works only with webcams that have an infrared sensor in addition to the regular RGB sensor. Windows Hello fingerprint recognition works with fingerprint scanners that are compatible with the Windows Biometric Framework (WBF).
How the Attack Works
Researchers from the cybersecurity firm Blackwing Intelligence have discovered vulnerabilities in the fingerprint sensors from Goodix, Synaptics, and ELAN that are embedded into several Windows 10 laptops. These sensors do not encrypt or protect the fingerprint data they capture, allowing an attacker to extract the raw images of the user’s fingerprints from the device.
The attacker can then use these images to craft a custom USB camera that mimics a legitimate Windows Hello Face camera. The camera can stream the infrared images of the user’s fingerprints to the device, tricking Windows Hello into thinking that the user’s face is present and unlocking the device. The attack does not require any modification of the device’s firmware or software, and can be performed in less than a minute.
How to Protect Yourself
Microsoft has released patches for this vulnerability in July 2021, and has advised users to enable “Windows Hello enhanced sign-in security”, which uses virtualization-based security to encrypt Windows Hello face data and process it in a protected area of memory. Users can also configure a registry value to disable all external cameras for use with Windows Hello Face, or use a PIN or password instead of biometric authentication.
The researchers have also recommended that fingerprint sensor manufacturers implement encryption and protection mechanisms for the fingerprint data they capture, and that Windows Hello should verify the integrity and authenticity of the camera input before accepting it.
The Implications of the Attack
The attack demonstrates the limitations and risks of biometric authentication systems, which rely on physical characteristics that are not secret and can be copied or spoofed. The attack also shows the importance of securing the hardware components of the devices, as well as the software. The researchers have warned that similar attacks could be possible against other biometric systems, such as iris or voice recognition, and that users should be aware of the potential threats and take precautions to protect their devices and data.