Easily Bypass Laptop Fingerprint Sensors And Windows Hello

November 27, 2023 by Maya Posch 30 Comments

The fun part of security audits is that everybody knows that they’re a good thing, and also that they’re rarely performed prior to another range of products being shoved into the market. This would definitely seem to be the case with fingerprint sensors as found on a range of laptops that are advertised as being compatible with Windows Hello. It all began when Microsoft’s Offensive Research and Security Engineering (MORSE) asked the friendly people over at Blackwing Intelligence to take a poke at a few of these laptops, only for them to subsequently blow gaping holes in the security of the three laptops they examined.

In the article by [Jesse D’Aguanno] and [Timo Teräs] the basic system and steps they took to defeat it are described. The primary components are the fingerprint sensor and Microsoft’s Secure Device Connection Protocol (SDCP), with the latter tasked with securing the (USB) connection between the sensor and the host. Theoretically the sensitive fingerprint-related data stays on the sensor with all matching performed there (Match on Chip, MoC) as required by the Windows Hello standard, and SDCP keeping prying eyes at bay.

Interestingly, the three laptops examined (Dell Inspiron 15, Lenovo ThinkPad T14 and Microsoft Surface Pro X) all featured different sensor brands (Goodix, Synaptics and ELAN), with different security implementations. The first used an MoC with SDCP, but security was much weaker under Linux, which allowed for a fake user to be enrolled. The Synaptics implementation used a secure TLS connection that used part of the information on the laptop’s model sticker as the key, and the ELAN version didn’t even bother with security but responded merrily to basic USB queries.

To say that this is a humiliating result for these companies is an understatement, and demonstrates that nobody in his right mind should use fingerprint- or similar scanners like this for access to personal or business information.

Home Assistant Get Fingerprint Scanning

May 28, 2020 by Al Williams 13 Comments

Biometrics — like using your fingerprint as a password — is certainly convenient and are pretty commonplace on phones and laptops these days. While their overall security could be a problem, they certainly fit the bill to keep casual intruders out of your system. [Lewis Barclay] had some sensors gathering dust and decided to interface them to his Home Assistant setup using an ESP chip and MQTT.

You can see the device working in the video below. The code is on GitHub, and the only thing we worried about was the overall security. Of course, the security of fingerprint scanners is debatable since you hear stories about people lifting fingerprints with tape and glue, but even beyond that, if you were on the network, it would seem like you could sniff and fake fingerprint messages via MQTT. Depending on your security goals, that might not be a big deal and, of course, that assumes someone could compromise your network to start with.

Continue reading “Home Assistant Get Fingerprint Scanning” →

Pistol Safe’s Poor Design Means Biometric Sensor Bypassed In Seconds

October 3, 2019 by Donald Papp 38 Comments

When it comes to safes, mechanical design and physical layout are just as important as the electronic bits. If care isn’t taken, one element can undermine the other. That appears to be the case with this Amazon Basics branded biometric pistol safe. Because of the mechanical design, the fingerprint sensor can be overridden with nothing more than a thin piece of metal — no melted gummi bears and fingerprint impressions involved.

push button to reset safe fingerprint reader — Small button used to register a new fingerprint. It can be reached by inserting a thin shim in the gap between the door and the frame while the safe is closed and locked.

[LockPickingLawyer] has a reputation for exposing the lunacy of poorly-designed locks of all kinds and begins this short video (embedded below) by stating that when attempting to bypass the security of a device like this, he would normally focus on the mechanical lock. But in this case, it’s far more straightforward to simply subvert the fingerprint registration.

This is how it works: the back of the front panel (which is inside the safe) has a small button. When this button is pressed, the device will be instructed to register a new fingerprint. The security of that system depends on this button being inaccessible while the safe is closed. Unfortunately it’s placed poorly and all it takes is a thin piece of metal slid through the thin opening between the door and the rest of the safe. One press, and the (closed) safe is instructed to register and trust a new fingerprint. After that, the safe can be opened in the usual way.

It’s possible that a pistol being present in the safe might get in the way of inserting a metal shim to hit the button, but it doesn’t look like it. A metal lip in the frame, or recessing the reset button could prevent this attack. The sensor could also be instructed to reject reprogramming while the door is closed. In any case, this is a great demonstration of how design elements can affect one another, and have a security impact in the process.

As for fooling sensors in a more traditional sense, here’s a reminder that we’ve seen a 3D printer and a photo of a fingerprint used to defeat a fingerprint sensor.

Continue reading “Pistol Safe’s Poor Design Means Biometric Sensor Bypassed In Seconds” →

Fooling Fingerprint Scanners With A Resin Printer

April 8, 2019 by Lewin Day 12 Comments

Biometrics have often been used as a form of access control. While this was initially limited to bank vaults in Hollywood movies, it’s now common to see such features on many laptops and smartphones. Despite the laundry list of reasons why this is a bad idea, the technology continues to grow in popularity. [darkshark] has shown us an easy exploit, using a 3D printer to fool the Galaxy S10’s fingerprint scanner.

The Galaxy S10 is interesting for its use of an ultrasonic fingerprint sensor, which continues to push to hardware development of phones minimal-to-no bezels by placing the sensor below the screen. The sensor is looking for the depth of the ridges of your fingerprint, while the touchscreen verifies the capacitive presence of your meaty digit. This hack satisfies both of those checks.

[darkshark] starts with a photograph of a fingerprint on a wineglass. This is then manipulated in Photoshop, before being used to create geometry in 3DSMAX to replicate the original finger. After making the part on an AnyCubic Photon LCD resin printer, the faux-finger pad is able to successfully unlock the phone by placing the print on the glass and touching your finger on top of it.ster

[darkshark] notes that the fingerprint was harvested at close range, but a camera with the right lenses could capture similar detail at a distance. The other thing to note is that if your phone is stolen, it’s likely covered in greasy fingerprints anyway. As usual, it serves as an excellent reminder that fingerprints are not passwords, and should not be treated as such. If you need to brush up on the fundamentals, we’ve got a great primer on how fingerprint scanners work, and another on why using fingerprints for security is a bad plan.

[via reddit, thanks to TheEngineer for the tip!]