Biometric Breakthrough Turned Breach: Windows Hello's Future?

Biometric Breakthrough Turned Breach: Windows Hello’s Future?

Logging into a Windows laptop with a fingerprint scanner is easy; just place your finger on a scanner, and the operating system lets you in. However, researchers have shown that, while this method is convenient, it’s not hackproof.

So, how can people hack past a Windows Hello fingerprint scan, and should you worry about it?

Can People Hack Windows Hello Fingerprint Scanners?

If a hacker wants to bypass a fingerprint scanner on a Windows machine, they’re aiming to get past a service called Windows Hello. This service handles how you log into Windows, such as PINs, facial scans, and fingerprint scans.

As part of research into Windows Hello’s strength, two white-hat hackers , Jesse D’Aguanno and Timo Teräs, posted a report on their website, Blackwing HQ . The report details how they breached three popular devices: the Dell Inspiron 15, Lenovo ThinkPad T14, and the Microsoft Surface Pro Type Cover.

How the Hackers Breached Windows Hello on the Dell Inspiron 15

For the Dell Inspiron 15, the hackers noticed they could boot into Linux on the laptop. Once logged into Linux, they can register their fingerprints in the system and give it the same ID as the Windows user they want to log into.

Then, they perform a man-in-the-middle attack on the connection between the PC and the sensor. They set it up so that when Windows goes to double-check that a scanned fingerprint is legitimate, it ends up checking the Linux database of fingerprints instead of its own.

To dodge Windows Hello, the hackers uploaded their fingerprints to the Linux database, assigned it the same ID as the user on Windows, and then tried to log into Windows with their fingerprints. During the authentication process, they redirected the packet to the Linux database, which told Windows that the user at the specified ID was ready to log in.

How the Hackers Breached Windows Hello on the Lenovo ThinkPad T14

For the Lenovo ThinkPad, the hackers discovered that the laptop used a custom encryption method to verify fingerprints. With some work, the hackers managed to decrypt it, giving them a way into the fingerprint verification process.

Once done, the hackers could force the fingerprint database to accept their fingerprint as the user’s. Then, all they had to do was scan their fingerprint to access the Lenovo ThinkPad.

How the Hackers Breached Windows Hello on the Microsoft Surface Pro Type Cover

The hackers believed the Surface Pro would be the hardest device to crack, but they were surprised to find the Surface Pro lacked a lot of security measures for checking valid fingerprints. In fact, they discovered that they only had to dodge past one defense, then tell the Surface Pro that the fingerprint scan was successful, and the device let them in.

What Do These Hacks Mean for You?

These hacks may sound pretty scary if you use fingerprints to log into your laptop. However, it’s essential to remember some crucial things before you forgo fingerprint scans entirely.

1. The Attacks Were Performed by Skilled Hackers

The reason threats like ransomware as a service are so deadly is that anyone with minimal cybersecurity can use them. However, the above hacks require a high level of expertise, with a deep understanding of how devices authenticate fingerprints and how to avoid them.

2. The Attacks Require the Attacker to Physically Interact With the Device

The hackers must have physical contact with the device to perform the above hacks. In the report, the hackers stated they might be able to create USB devices that can perform the attack once plugged in, but that means a potential attacker needs to plug something into your PC to hack it.

3. The Attacks Only Work on Specific Devices

You’ll notice that each attack had to take a different path to achieve the same goal. Every device is unique, and a hack that works on one device may not work on another. As such, you shouldn’t believe that Windows Hello has now been blown wide open on every device; it’s just these three that failed.

While these hacks may sound scary, they’ll be challenging to perform against actual targets. The hacker will likely have to steal the device to perform these hacks, which would undoubtedly alert the previous owner.

How to Stay Safe From Fingerprint Hacking

As stated above, the discovered hacks are complicated to perform and may require the hacker to remove the device to hack into it physically. As such, there’s an extremely low chance that these attacks will personally target you.

However, if you’re still not satisfied, there are some ways to protect yourself from fingerprint scanner hacks:

1. Do Not Leave Devices Unattended and Unprotected

Because a hacker will need to interact with your device physically, you should ensure it doesn’t fall into the wrong hands. For computers, you can take steps to stop it from being stolen . If you’re using a laptop, never leave it alone in a public space, and use an anti-theft laptop bag to stop people from tearing your bag open.

Windows Hello supports many different login methods, some more secure than others. If you’ve fallen out of love with fingerprint scans, check out if face, iris, fingerprint, PIN, or password logins are more secure , and choose one that suits you best.

If you’re worried about these hacks, it’s important to remember that there’s a very low chance they’ll target you specifically. As such, you should be safe using fingerprint scans; just don’t allow people to steal your devices.