Researchers have discovered security flaws in the fingerprint sensors on some Windows laptops, allowing them to sign in when they shouldn’t have been able to.
The results will make some people question the safety of
passkey methods such as fingerprints, which the tech industry is introducing as a long-term replacement for passwords.
Microsoft asked a security team at US firm Blackwing Intelligence to test the safety of fingerprint sensors that manufacturers add to laptops. These sensors recognise a user’s fingerprint, letting them sign in via Microsoft’s Windows Hello security system.
When working properly, Windows Hello allows only verified users to log in. However, researchers were able to bypass this restriction by hacking into three different laptops: a Dell Inspiron 15, Lenovo ThinkPad T14 and Microsoft Surface Pro X.
Blackwing told Microsoft in October how it managed to beat the security controls, and has now published a detailed blog post explaining its methods: www.snipca. com/48469.
Its team used a Raspberry Pi 4 to carry out a man-inthe-middle (MitM) attack, in which hackers can place themselves in between two parties and alter the data being sent without either knowing. They can also impersonate either or both parties.
After disconnecting the fingerprint sensor, researchers stored their own fingerprints in a Linux database and listed them as valid Windows users.
Next, they diverted the fingerprint sensor to the Linux database which then rea
