Your Laptop’s Fingerprint Lock Can Be Hacked. How Hackers Exploit Fingerprint Sensors Flaws

Multiple vulnerabilities have been found in the fingerprint sensors of Dell Inspiron 15, Lenovo ThinkPad T14, and Microsoft Surface Pro X laptops, which can be exploited to bypass Windows Hello authentication. These vulnerabilities were identified by researchers at Blackwing Intelligence in the sensors from Goodix, Synaptics, and ELAN. The key findings include:

  1. Match on Chip Sensors: These sensors, which integrate matching and biometric management functions, do not prevent a malicious sensor from spoofing a legitimate sensor’s communication, falsely claiming an authorized user has authenticated​​​​. Example: Imagine a scenario where an attacker has physical access to a laptop with a MoC sensor. The attacker connects a malicious device that mimics the communication pattern of a legitimate fingerprint sensor. The laptop, unable to distinguish between the malicious and legitimate sensor, accepts the spoofed communication. This results in the laptop being unlocked even though no authorized fingerprint was actually provided
  2. ELAN Sensor Exploit: This sensor is vulnerable due to a lack of Secure Device Connection Protocol (SDCP) support and cleartext transmission of security identifiers. This allows any USB device to impersonate the fingerprint sensor​​.Example: In this case, an attacker targets a laptop with an ELAN sensor that doesn’t support the Secure Device Connection Protocol (SDCP) and transmits data in cleartext. The attacker can use a custom USB device to act as a fake fingerprint sensor. When the user tries to log in, this fake sensor sends a signal that an authorized fingerprint has been recognized, tricking the system into granting access.
  3. Synaptics Sensor Exploit: The vulnerability here arises from SDCP being turned off by default and a flawed custom Transport Layer Security stack used for USB communications, which can be manipulated to bypass biometric authentication​​. Example: Consider a situation where a laptop with a Synaptics sensor has its SDCP feature turned off by default. The attacker discovers this and decides to exploit the flawed custom TLS stack that secures the USB communication between the sensor and the host. By intercepting and manipulating this communication, the attacker can bypass the fingerprint authentication, allowing unauthorized access to the laptop.
  4. Goodix Sensor Exploit: This involves exploiting differences in enrollment operations on systems with both Windows and Linux. It includes booting to Linux, enumerating valid IDs, enrolling an attacker’s fingerprint, and then using a man-in-the-middle attack to log in to Windows with the attacker’s print​​.Example: An attacker finds a laptop that dual-boots Windows and Linux and uses a Goodix sensor. The attacker boots into Linux, where SDCP is not supported, and then enrolls their own fingerprint under the same ID as a legitimate Windows user. Next, they perform a man-in-the-middle (MitM) attack on the USB communication between the host and sensor. When booting back into Windows, the attacker uses their own fingerprint to log in, exploiting the fact that the system points to the Linux database where the attacker’s fingerprint is registered as a valid user.

To mitigate these vulnerabilities, it is recommended that original equipment manufacturers enable SDCP and have the fingerprint sensor implementation audited by independent experts.

Secure Device Connection Protocol (SDCP) is a security feature designed by Microsoft to enhance the security of peripheral devices, like fingerprint sensors, that connect to a computer system. The primary purpose of SDCP is to establish a secure, authenticated channel between the device (such as a fingerprint sensor) and the host system (like a laptop or a PC). This protocol is particularly relevant in the context of biometric authentication systems, such as Windows Hello.

Here are key aspects of SDCP:

  1. End-to-End Encryption: SDCP ensures that the data transmitted between the sensor and the host system is encrypted. This encryption prevents attackers from intercepting and reading the data, which could include sensitive biometric information.
  2. Authentication: It authenticates the peripheral device to the host system, confirming that the device is legitimate and hasn’t been tampered with. This is crucial in preventing scenarios where a malicious device could pose as a legitimate biometric sensor.
  3. Integrity Checks: SDCP likely includes mechanisms to ensure the integrity of the data being transmitted. This means that any tampering or alteration of the data during transmission can be detected.
  4. Protection Against Replay Attacks: By ensuring that each communication session is unique and authenticated, SDCP helps protect against replay attacks, where an attacker tries to reuse valid data transmission to gain unauthorized access.

In the context of the vulnerabilities found in the fingerprint sensors of certain laptops, the lack of SDCP support or improper implementation of SDCP could allow attackers to exploit these weaknesses. For example, without SDCP, an attacker could potentially intercept the communication between the fingerprint sensor and the host system, manipulate it, and gain unauthorized access. Enabling and correctly implementing SDCP is thus a critical recommendation for mitigating such vulnerabilities.

Mitigation

Mitigating the identified vulnerabilities in fingerprint sensors on devices like Dell Inspiron 15, Lenovo ThinkPad T14, and Microsoft Surface Pro X requires a multi-faceted approach, involving both software and hardware measures. Here’s how to address these flaws:

  1. Enable Secure Device Connection Protocol (SDCP): For devices that support SDCP, ensure that it is enabled. This protocol establishes a secure communication channel between the fingerprint sensor and the host device, protecting against attacks that exploit the communication link.
  2. Update Firmware and Drivers: Manufacturers often release firmware and driver updates to address known security vulnerabilities. Regularly check for and install any available updates for your fingerprint sensor and related hardware.
  3. Configure Security Settings: On devices where SDCP is turned off by default (like those with Synaptics sensors), go into the device settings or configuration and enable it. Consult the device’s user manual or support resources for specific instructions.
  4. Use Multi-Factor Authentication (MFA): Relying solely on fingerprint authentication can be risky if there are vulnerabilities. Implementing an additional layer of security, like a PIN, password, or a second factor, can greatly enhance overall security.
  5. Regular Security Audits: For organizations, regularly conducting security audits and assessments can help identify and mitigate potential vulnerabilities in biometric systems.
  6. Educate Users: Inform users about the potential risks and encourage them to be cautious, especially when enrolling or using biometric data.
  7. Monitor for Suspicious Activities: Keep an eye on system logs and access records for any unusual activities that might indicate an attempt to exploit these vulnerabilities.
  8. Consult with Device Manufacturers: In some cases, the mitigation might require hardware changes or specific updates from the manufacturer. Stay informed about any advisories or recall notices issued by the manufacturers of affected devices.
  9. Disable Fingerprint Sensor if Necessary: If the vulnerabilities cannot be mitigated effectively, consider disabling the fingerprint sensor and relying on other forms of authentication until a fix is available.
  10. Physical Security Measures: Since some attacks require physical access, enhancing physical security to prevent unauthorized access to devices is also important.

It’s crucial to stay informed about the latest security updates and advisories from the device manufacturers and implement recommended security practices. For businesses and organizations, consulting with IT security professionals to develop a comprehensive security strategy is also advisable.