According to Neowin , the Blackwell Intelligence team revealed their findings in October during Microsoft's BlueHat security conference, but they only posted the results on their own website this week. The blog post, titled "A Touch of Pwn," said the team used fingerprint sensors inside Dell Inspiron 15 and Lenovo ThinkPad T14 laptops, as well as Microsoft Surface Pro Type Covers with Fingerprint ID made for the Surface Pro 8 and X. The specific fingerprint sensors were manufactured by Goodix, Synaptics, and ELAN.
It took Blackwell about 3 months of research to discover a vulnerability in Windows Hello.
All of the Windows Hello-enabled fingerprint sensors we tested use chip-based hardware, meaning authentication is handled on the sensor itself, which has its own chip and storage.
In his statement, Blackwell said that the database of “fingerprint templates” (biometric data captured by the fingerprint sensor) is stored on the chip , and the registration and matching are done directly on the chip. Since the fingerprint templates never leave the chip, this eliminates privacy concerns as the biometric data is stored securely. It also prevents attacks that involve sending valid fingerprint images to a server for matching.
Blackwell, however, managed to bypass the system by using reverse engineering to find vulnerabilities in fingerprint sensors, then creating his own USB device that could perform a man-in-the-middle (MitM) attack. This device allowed the group to bypass the fingerprint authentication hardware in those devices.
Blackwell also said that although Microsoft uses the Secure Device Connection Protocol (SDCP) to provide a secure channel between the server and the biometric device, two of the three fingerprint sensors tested did not even have SDCP enabled. Blackwell recommends that all fingerprint sensor companies not only enable SDCP on their products, but also have a third-party company ensure it works.
One thing to note is that it took Blackwell about three months of effort to get past these fingerprint hardware products. It’s not clear how Microsoft and other fingerprint sensor companies are going to fix the problem based on this research.
Source link
![[Photo] President Luong Cuong awarded the title "Heroic City" to Hai Phong city](https://vphoto.vietnam.vn/thumb/1200x675/vietnam/resource/IMAGE/2025/5/13/d1921aa358994c0f97435a490b3d5065)
![[Photo] Many people in Hanoi welcome Buddha's relics to Quan Su Pagoda](https://vphoto.vietnam.vn/thumb/1200x675/vietnam/resource/IMAGE/2025/5/13/3e93a7303e1d4d98b6a65e64be57e870)
![[Photo] Prime Minister Pham Minh Chinh receives Ambassador of the French Republic to Vietnam Olivier Brochet](https://vphoto.vietnam.vn/thumb/1200x675/vietnam/resource/IMAGE/2025/5/13/f5441496fa4a456abf47c8c747d2fe92)
![[Photo] President Luong Cuong attends the inauguration of the international container port in Hai Phong](https://vphoto.vietnam.vn/thumb/1200x675/vietnam/resource/IMAGE/2025/5/13/9544c01a03e241fdadb6f9708e1c0b65)
Comment (0)