Easily Bypass Laptop Fingerprint Sensors And Windows Hello

The fun part of security audits is that everybody knows that they’re a good thing, and also that they’re rarely performed prior to another range of products being shoved into the market. This would definitely seem to be the case with fingerprint sensors as found on a range of laptops that are advertised as being compatible with Windows Hello. It all began when Microsoft’s Offensive Research and Security Engineering (MORSE) asked the friendly people over at Blackwing Intelligence to take a poke at a few of these laptops, only for them to subsequently blow gaping holes in the security of the three laptops they examined.

In the article by [Jesse D’Aguanno] and [Timo Teräs] the basic system and steps they took to defeat it are described. The primary components are the fingerprint sensor and Microsoft’s Secure Device Connection Protocol (SDCP), with the latter tasked with securing the (USB) connection between the sensor and the host. Theoretically the sensitive fingerprint-related data stays on the sensor with all matching performed there (Match on Chip, MoC) as required by the Windows Hello standard, and SDCP keeping prying eyes at bay.

Interestingly, the three laptops examined (Dell Inspiron 15, Lenovo ThinkPad T14 and Microsoft Surface Pro X) all featured different sensor brands (Goodix, Synaptics and ELAN), with different security implementations. The first used an MoC with SDCP, but security was much weaker under Linux, which allowed for a fake user to be enrolled. The Synaptics implementation used a secure TLS connection that used part of the information on the laptop’s model sticker as the key, and the ELAN version didn’t even bother with security but responded merrily to basic USB queries.

To say that this is a humiliating result for these companies is an understatement, and demonstrates that nobody in his right mind should use fingerprint- or similar scanners like this for access to personal or business information.

The World ID Orb And The Question Of What Defines A Person

Among the daily churn of ‘Web 3.0’, blockchains and cryptocurrency messaging, there is generally very little that feels genuinely interesting or unique enough to pay attention to. The same was true for OpenAI CEO Sam Altman’s Ethereum blockchain-based Worldcoin when it was launched in 2021 while promising many of the same things as Bitcoin and others have for years. However, with the recent introduction of the World ID protocol by Tools for Humanity (TfH) – the company founded for Worldcoin by Mr. Altman – suddenly the interest of the general public was piqued.

Defined by TfH as a ‘privacy-first decentralized identity protocol’ World ID is supposed to be the end-all, be-all of authentication protocols. Part of it is an ominous-looking orb contraption that performs iris scans to enroll new participants. Not only do participants get ‘free’ Worldcoins if they sign up for a World ID enrollment this way, TfH also promises that this authentication protocol can uniquely identify any person without requiring them to submit any personal data, only requiring a scan of your irises.

Essentially, this would make World ID a unique ID for every person alive today and in the future, providing much more security while preventing identity theft. This naturally raises many questions about the feasibility of using iris recognition, as well as the potential for abuse and the impact of ocular surgery and diseases. Basically, can you reduce proof of personhood to an individual’s eyes, and should you?

Continue reading “The World ID Orb And The Question Of What Defines A Person”

A beige keyboard with blue and grey keys sits on a colorful deskmat atop a wooden desk. A small box with a round Touch ID button sits next to the keyboard.

Standalone Touch ID For Your Desktop Mac

With the proliferation of biometric access to mobile devices, entering a password on your desktop can feel so passé. [Snazzy Labs] decided to fix this problem for his Mac by liberating the Touch ID from a new Apple keyboard.

When Apple introduced its own silicon for its desktops, it also revealed desktop keyboards that included their Touch ID fingerprint reader system. Fingerprint access to your computer is handy, but not everyone is a fan of the typing experience on Apple keyboards. Wanting to avoid taping a keyboard under his desk, [Snazzy Labs] pulled the logic board from the keyboard and designed a new 3D printed enclosure for the Touch ID button and logic board so that the fingerprint reader could reside close to where the users hands actually are.

One interesting detail discovered was the significantly different logic boards between the standard and numpad-containing variants. The final enclosure designs feature both wireless and wired versions for both the standard and numpad logic boards if you should choose to build one of your own. We’re interested to see if someone can take this the next step and use the logic board to wire up a custom mechanical keyboard with Touch ID.

If [Snazzy Labs] seems familiar, you may recognize him from their Mac Mini Mini. If you’re more in the mood to take your security to the extreme, check out this Four Factor Biometric Lockbox that includes its own fingerprint reader.

Continue reading “Standalone Touch ID For Your Desktop Mac”

Ask Hackaday: What Is Amazon Thinking By Entering The Palm-Reading Business?

Have you heard about this One? At least three United States senators have, and they want to know what Amazon plans to do with all the biometric data collected by the Amazon One program. It’s their new contactless payment method that uses your unique palm print instead of cards or phones to make purchases, gain access to venues of work and play, and enter or pay in whatever other spaces Amazon can invade down the line. The idea is that one day, we’ll all be able to leave our homes without any form of money or ID of any kind, because we’ll all be stored away in Bezos’ big biometric file cabinet.

We tossed this one around in the writer’s room back when the Amazon One concept was nothing but a pile of buzzwords and a render or two, but these kiosks are now active in 50+ Whole Foods and Amazon 4-Star locations across the US. Here’s the deal: you can only sign up at a participating store that has a kiosk, because they have to scan your palms into the system. We were worried that the signup kiosk could easily take fingerprint scans at the same time, but according to the gifs in Morning Brew’s review, it just uses another of their point-of-sale palm scanners along with a touch screen and a card reader. But you still have to hover your entire hand over it, so who’s to say that the scan ends where the fingers begin?

Continue reading “Ask Hackaday: What Is Amazon Thinking By Entering The Palm-Reading Business?”

GitHub’s Move Away From Passwords: A Sign Of Things To Come?

Later this month, people who use GitHub may find themselves suddenly getting an error message while trying to authenticate against the GitHub API or perform actions on a GitHub repository with a username and password. The reason for this is the removal of this authentication option by GitHub, with a few ‘brown-out’ periods involving the rejection of passwords to give people warning of this fact.

This change was originally announced by GitHub in November of 2019, had a deprecation timeline assigned in February of 2020 and another blog update in July repeating the information. As noted there, only GitHub Enterprise Server remains unaffected for now. For everyone else, as of November 13th, 2020, in order to use GitHub services, the use of an OAuth token, personal token or SSH key is required.

While this is likely to affect a fair number of people who are using GitHub’s REST API and repositories, perhaps the more interesting question here is whether this is merely the beginning of a larger transformation away from username and password logins in services.

Continue reading “GitHub’s Move Away From Passwords: A Sign Of Things To Come?”

Arduino Polygraph Shows How It’s Done

Sometimes, a project comes along that makes a good reference design for anyone doing similar work. In this particular case, it’s a DIY USB polygraph-like machine by [Juangg] using an Arduino and sensors on the hardware side, and a Python front end for data visualization. It’s even complete with 3D printed enclosure and sensor elements.

[Juangg] designed it to use three sensors: a pulse sensor, a breath sensor, and one to measure Galvanic Skin Response (GSR). The pulse sensor uses a piezo element pressed against a fingertip to detect changes in pressure resulting from blood flow. It can be picky about placement, but finding sweet spot can yield remarkably good readings. The breath sensor works on a similar principle but uses a 3D printed fixture to hold the sensor between a strap and the subject’s chest, so that breathing in and out can be detected. The GSR sensor is a voltage divider used to measure small changes in skin conductivity. How well does it all work? That depends on what one is looking to get out of it, but the documentation and design files are available from the project page and the GitHub repository if anyone wants a reference for similar work.

The polygraph may have a mixed reputation, but it makes a good project that demonstrates just how messy biometrics can be from an engineering perspective. And in case you missed it, here’s a reminder that Wonder Woman and the polygraph have much more in common than you might realize.

Pistol Safe’s Poor Design Means Biometric Sensor Bypassed In Seconds

When it comes to safes, mechanical design and physical layout are just as important as the electronic bits. If care isn’t taken, one element can undermine the other. That appears to be the case with this Amazon Basics branded biometric pistol safe. Because of the mechanical design, the fingerprint sensor can be overridden with nothing more than a thin piece of metal — no melted gummi bears and fingerprint impressions involved.

push button to reset safe fingerprint reader
Small button used to register a new fingerprint. It can be reached by inserting a thin shim in the gap between the door and the frame while the safe is closed and locked.

[LockPickingLawyer] has a reputation for exposing the lunacy of poorly-designed locks of all kinds and begins this short video (embedded below) by stating that when attempting to bypass the security of a device like this, he would normally focus on the mechanical lock. But in this case, it’s far more straightforward to simply subvert the fingerprint registration.

This is how it works: the back of the front panel (which is inside the safe) has a small button. When this button is pressed, the device will be instructed to register a new fingerprint. The security of that system depends on this button being inaccessible while the safe is closed. Unfortunately it’s placed poorly and all it takes is a thin piece of metal slid through the thin opening between the door and the rest of the safe. One press, and the (closed) safe is instructed to register and trust a new fingerprint. After that, the safe can be opened in the usual way.

It’s possible that a pistol being present in the safe might get in the way of inserting a metal shim to hit the button, but it doesn’t look like it. A metal lip in the frame, or recessing the reset button could prevent this attack. The sensor could also be instructed to reject reprogramming while the door is closed. In any case, this is a great demonstration of how design elements can affect one another, and have a security impact in the process.

As for fooling sensors in a more traditional sense, here’s a reminder that we’ve seen a 3D printer and a photo of a fingerprint used to defeat a fingerprint sensor.

Continue reading “Pistol Safe’s Poor Design Means Biometric Sensor Bypassed In Seconds”