Identity, Endpoint/Device Security

Windows Hello bypassed with laptop fingerprint sensor bugs

Microsoft, Dell, and Lenovo laptops had faulty implementations of the Secure Device Connection Protocol in their fingerprint sensors, which enabled Windows Hello authentication bypass and potential app access and data exfiltration activities, SiliconAngle reports. SDCP was not activated in Microsoft's Surface X two-in-one device, allowing threat actors to possibly leverage malware-laced devices to hijack the fingerprint sensor, according to a report from Blackwing Intelligence. Meanwhile, Lenovo has used a custom TLS encryption protocol, instead of SDCP, to secure the ThinkPad T14's fingerprint sensor, which could be compromised through an encryption key that could be extrapolated from the name and serial number of the device. On the other hand, threat actors could exploit Dell Inspiron 15's SDCP activation in Windows alone to enable Linux loading before gathering fingerprint sensor data during login request processing. "Microsoft did a good job designing Secure Device Connection Protocol (SDCP) to provide a secure channel between the host and biometric devices, but unfortunately device manufacturers seem to misunderstand some of the objectives," said researchers.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.