Reading the article it doesn’t sound like it’s Microsoft’s issue but the vendor’s implementation and lack of using the secure communication protocol.
Microsoft’s Windows Hello fingerprint authentication has been bypassed
Submitted 11 months ago by misk@sopuli.xyz to technology@lemmy.world
Comments
ramble81@lemm.ee 11 months ago
killeronthecorner@lemmy.world 11 months ago
“vendors implementation” rings immediate alarm bells…
Smokeless7048@lemmy.world 11 months ago
it sounds like microsoft’s own laptops dont implement the spec properly!
Aux@lemmy.world 11 months ago
Microsoft doesn’t make fingerprint readers.
ChaoticNeutralCzech@feddit.de 11 months ago
It stopped working when I uninstalled Edge, and so did the face recognition. So it depends on WebView or some shit. Pretty sure it’s Microsoft’s way of getting around the new EU regulations and hastily integrating the browser into everything, regardless of it making sense or improving security. like they did with 98 after the browser anti-competitiveness lawsuit.
pineapplelover@lemm.ee 11 months ago
Wtf. It shouldn’t even need those permissions. All it needs to do if scan if the fingerprint it stores matches you.
TORFdot0@lemmy.world 11 months ago
It uses web view for web authentication for registering your Hello PIN to your Microsoft account. So it’s by design on Microsoft’s end. You can then use the Windows Hello credential as a passkey but if you don’t want that, you’d need another solution for biometric auth.
Wooki@lemmy.world 11 months ago
Oh sweet summer child. No. That would have been the intelligent approach. It could have been fast and secure but it wouldn’t have had all that delicious telemetry nor taken another step towards charging you rent just to use your computer.
They locked it behind two online services.
pycorax@lemmy.world 11 months ago
hastily integrating the browser into everything, regardless of it making sense
So software development in general in the last couple of years?
ChaoticNeutralCzech@feddit.de 11 months ago
Yes. JavaScript is famously the best programming language ever, so why not? /s
Luci@lemmy.ca 11 months ago
Stop using biometrics for authentication!!!
TORFdot0@lemmy.world 11 months ago
Better put would be stop using biometrics for single factor authentication. A token can be stolen, or a passcode/push notification can be phished/bypassed as easy as biometrics can.
MostlyHarmless@sh.itjust.works 11 months ago
Biometrics are two factor, because you need the fingerprint and the device they unlock.
You can’t use the device without the fingerprint and you can’t take someone’s fingerprint then use them from a different device.
Bootheal0179@lemmy.world 11 months ago
In Doom I had to rip off a dudes arm to gain access to the security controls on core cooling shutdown. If you don’t want to lose an arm to stop a demon horde, you’re better off just using your girlfriend’s fingerprints
Rustmilian@lemmy.world 11 months ago
Exactly, it’s fundamentally insecure.
BorgDrone@lemmy.one 11 months ago
As with all things security, it depends entirely on your thread model and the value of what you’re trying to protect.
Biometrics can be a much more secure option than using a PIN or password, depending in circumstances.
For example: when I’m working on my laptop on the train or in a coffee shop and I need to log into some website I’d rather use my fingerprint to unlock the passkey than type in a password in a public place where I have no idea who is observing me entering my password.
Same goes for paying with your phone, you can either enter your phone PIN in a crowded supermarket or you unlock with FaceID.
0xD@infosec.pub 11 months ago
A username is not something “you are”, it’s something “you know”. Biometrics not nearly the same as usernames.
Luci@lemmy.ca 11 months ago
A username is something you are. It’s you! You are 0xD.
A password is something you know. A security key is something you have.When we interview security analysts you don’t get past the first round if you disagree.
MostlyHarmless@sh.itjust.works 11 months ago
Biometrics are perfectly fine! We probably don’t even live in the same country, I’m not going to get a hold of your fingerprints.
There seems to be a fundamental misunderstanding of what the biometrics actually do. The biometrics only unlock the device and give access to the security key. Once unlocked it’s exactly the same as using a yubikey, and far better than an authenticator app, as they use a crypto key, not a 6 digit number.
_s10e@feddit.de 11 months ago
Well
The biometrics only unlock the device
Yes
and give access to the security key
This is the goal, sure, but what does this actually mean on device that’s mostly governed by software?
There’s a chip (like a yubikey) in the device that can hold cryptographic keys.
That’s good because the key cannot (easily) be extracted from the device.
That’s good as long as no one has physical access to your device.
With physical access, you hope that the device’s unlock mechanism is reasonably secure. That’s biometrics OR password/pin.
The ‘or’ is the problem. For practical reasons you don’t want exactly one method hard-wired. You have a fingerprint scanner (good enough), the secure element (good enough) and lots of hard- and software in between (tricky).
I’m not against biometrics (to unlock a device) because it’s convinient and much better than not locking the device at all. I’m also not against device trust (which you need if you want to store crypto keys sonewhere without separate hardware), but the convience of a single-device solution (laptop or phone) comes with a risk.
If an attacker can bypass the unlock method or trick you into unlocking or compromise the device, your secrets are at risk. Having the key stored in the secure enclave (and not in a regular file on the hard disk) prevents copying the key material, but it does not prevent using the key when the attacker has some control over the (unlocked) device.
A yubikey is more secure because it’s tiny and you can carry it on your keychain. The same chip inside your laptop is more likely to fall into the hands of an attacker.
BearOfaTime@lemm.ee 11 months ago
Not on my Lenovo. Fingerprint reader requires a swipe, no print left behind.
atrielienz@lemmy.world 11 months ago
I have a lot of questions about what this guy thinks the rest of your device is covered in. Because spoiler, it’s fingerprints.
derpgon@programming.dev 11 months ago
Mine does not work at all. I’d like to see the guy trying to take fingerprints for a few hours and realizing it won’t do shit lol.
MonkderZweite@feddit.ch 11 months ago
Surprise. Or not.
FlyingSquid@lemmy.world 11 months ago
Who is surprised? Are you surprised?
n3m37h@lemmy.world 11 months ago
Pikachu is surprised
FlyingSquid@lemmy.world 11 months ago
Pikachu is always surprised. And he doesn’t even speak or read English. So I was discounting him.
tsonfeir@lemm.ee 11 months ago
Of course it has. Microsoft Windows.
psudojo@infosec.pub 11 months ago
im all for the something you have + something you are , pb&j relationship, but i dont think lathering biometrics on top is a good idea,far too many spy movies have shown Tom Cruise doing the MOST for pictures of eyeballs and fingerprints for me to ever trust this type of auth
Herowyn@jlai.lu 11 months ago
The main issue with biometrics is that you can’t change them. If your fingerprints or retina are compromised you’re fucked.
MostlyHarmless@sh.itjust.works 11 months ago
Unless I meet you in person, I’m not going to get your biometrics. The point of these is to protect your accounts from the global Internet.
autotldr@lemmings.world [bot] 11 months ago
This is the best summary I could come up with:
Microsoft’s Offensive Research and Security Engineering (MORSE) asked Blackwing Intelligence to evaluate the security of fingerprint sensors, and the researchers provided their findings in a presentation at Microsoft’s BlueHat conference in October.
The team identified popular fingerprint sensors from Goodix, Synaptics, and ELAN as targets for their research, with a newly-published blog post detailing the in-depth process of building a USB device that can perform a man-in-the-middle (MitM) attack.
Blackwing Intelligence researchers reverse engineered both software and hardware, and discovered cryptographic implementation flaws in a custom TLS on the Synaptics sensor.
The complicated process to bypass Windows Hello also involved decoding and reimplementing proprietary protocols.
The researchers found that Microsoft’s SDCP protection wasn’t enabled on two of the three devices they targeted.
Blackwing Intelligence now recommends that OEMs make sure SDCP is enabled and ensure the fingerprint sensor implementation is audited by a qualified expert.
The original article contains 474 words, the summary contains 145 words. Saved 69%. I’m a bot and I’m open source!
theneverfox@pawb.social 11 months ago
… Did that say “custom implementation of TLS”?
That’s like… The first rule of security. You don’t roll your own cryptographic implementation. Like, first you’re told that, then they tell you the difference between security and obscurity, say both those things in bold, and continue with whatever beginner topic
atocci@kbin.social 11 months ago
The Surface Pro X has a fingerprint reader? Is it on the keyboard or something? Mine sure doesn't have one.
stom@lemmy.world 11 months ago
This is why I use Linux, the fingerprint device wouldn’t be supported so this wouldn’t be an issue /s
Gork@lemm.ee 11 months ago
Mmm yes security by non-functionality. A pillar of the modern cybersecurity framework.
SpaceNoodle@lemmy.world 11 months ago
Can’t hack a brick 🤷
Kusimulkku@lemm.ee 11 months ago
Works for my webcam. Tbh I’d like someone to hack it, would mean they would’ve written drivers for it
Zeth0s@lemmy.world 11 months ago
It is called zero trust, killing functionalities is zscaler core business
Cethin@lemmy.zip 11 months ago
The fun thing about Linux is your realize physical control is ownership. You can just throw a Bootable Linux image with some utilities and remove the password from a Windows account in a second. If you really need to keep something safe, it has to be encrypted.
kadu@lemmy.world 11 months ago
That used to be true, but no longer works
Hubi@feddit.de 11 months ago
The one on my Thinkpad works just fine :)
canis_majoris@lemmy.ca 11 months ago
I got a T80s and the sensor doesn’t work.
pineapplelover@lemm.ee 11 months ago
Nah I use fprint on my arch laptop so there is fingerprint login technology. Hopefully that doesn’t have security vulnerabilities.
locuester@lemmy.zip 11 months ago
It has vulnerabilities for sure. But they haven’t been found because no one cares about hacking you or the 1 other person on earth that use Arch and fingerprint security.
RFBurns@lemmy.world 11 months ago
Correct answer.
Using any form of biometric ‘login’ under the US’s “justice” system is supremely ill-advised.
loutr@sh.itjust.works 11 months ago
That’s funny, on my XPS Windows crashed when I tried adding a fingerprint. Works flawlessly under Arch.
ultranaut@lemmy.world 11 months ago
One of the major reasons I gave up on trying to run Linux on my laptop was lack of fingerprint reader support.
elbarto777@lemmy.world 11 months ago
That would be a plus for me, actually. I never liked fingerprint authentication.
WindowsEnjoyer@sh.itjust.works 11 months ago
I did not expect that 😅