Tuesday, May 21, 2024

Vogon Today

Selected News from the Galaxy

StartMag

I’ll tell you all the flaws in Microsoft’s Windows Hello

6 months ago babelfish

I'll tell you all the flaws in Microsoft's Windows Hello

Microsoft's Windows Hello fingerprint-based security system has been undermined again. This is the second time this has happened since 2021. Is it better to go back to the old passwords?

Those who thought that authentication via biometric data was the most secure and would finally allow them to abandon the cumbersome system of passwords (which must be different, changed periodically and, obviously, remembered) and the combined password and pin (same problems) will now remain disappointed by the latest report from Blackwing Intelligence researchers, tasked by Microsoft 's Offensive Research and Security Engineering (MORSE) to evaluate the security of fingerprint sensors. Well, Windows Hello didn't come out very well.

THE WINDOWS HELLO FLAW

Microsoft's Windows Hello fingerprint authentication has in fact been bypassed on Dell, Lenovo and, it seems impossible, even Microsoft laptops. In their tests, the cybersecurity experts hacked a Dell Inspiron 15, a Lenovo ThinkPad T14 and a Microsoft Surface Pro

In short, you unhinge the latch on the scanner and bypass the protection of Windows Hello, provided – it is underlined – that someone has previously used fingerprint authentication on a device. A limit which is obviously not such a limit, given that it is easier for an attacker to break into a used device to steal data rather than a new one from the factory. Blackwing Intelligence researchers explained that they reverse engineered both the software and hardware, simultaneously uncovering cryptographic implementation flaws in a custom TLS on the Synaptics sensor, with the decoding and reimplementation of proprietary protocols.

WHOSE FAULT IS IT?

“Microsoft has done a good job designing the Secure Device Connection Protocol (SDCP) to provide a secure channel between the host and biometric devices, but unfortunately device manufacturers appear to have misunderstood some of the goals,” reads Jesse's report card. D'Aguanno and Timo Teräs, researchers at Blackwing Intelligence. “Furthermore, SDCP only covers a very narrow scope of a typical device's operation, while most devices have a significant exposed attack surface that is not covered by SDCP at all.”

Researchers found that Microsoft's SDCP protection was not enabled on two of the three targeted devices. Blackwing Intelligence recommends that OEMs ensure that SDCP is enabled and that the fingerprint sensor implementation is verified by a qualified expert.

THE PRECEDENT FOR 2021

The specialized magazine The Verge points out that it is not the first time that authentication based on Windows Hello biometrics has been defeated. Microsoft was forced to patch a Windows Hello authentication vulnerability in 2021, following a proof-of-concept that involved capturing an infrared image of a victim to spoof Windows Hello's facial recognition feature.

WHAT TO CONCLUSION?

Naturally, similar studies are more useful to those who develop software and produce hardware than to individual users. This is because the former must continually increase their defensive efforts, while the latter are not always exposed to concrete threats. In this case, for example, to undermine the security system requires the work of an expert hacker. A consideration that will not cheer everyone up.

Also because Blackwing Intelligence is already working to study memory corruption attacks on the sensor firmware and also the security of the fingerprint sensor on Linux, Android and Apple devices. In short, the eternal struggle between lock builders and thieves that has followed man since the dawn of history continues.

This is a machine translation from Italian language of a post published on Start Magazine at the URL https://www.startmag.it/innovazione/vi-racconto-tutte-le-falle-di-windows-hello-di-microsoft/ on Fri, 24 Nov 2023 07:38:56 +0000.