![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
Entry tags:
Microsoft's fingerprint authentication has been hacked
So here's the thing. When you're dealing with a fingerprint reader, you've got multiple things interfacing. You've got the operating system, you've got the security library interfacing between the OS and fingerprint reader, and you've got the fingerprint reader.
Microsoft did a good job on the library. It's widely regarded as being secure and does a good job of authenticating fingerprints. And that's not where the problem is. The top three fingerprint scanner readers did a bad job of implementing their software that talks to Microsoft's library, and therein is the flaw.
At a Microsoft security conference, "A Dell Inspiron 15, Lenovo ThinkPad T14, and Microsoft Surface Pro X all fell victim to fingerprint reader attacks, allowing the researchers to bypass the Windows Hello protection as long as someone was previously using fingerprint authentication on a device." Three very common machines, including one sold by Microsoft themselves - but containing parts made by other vendors.
This is where being hard-assed on your vendors to make sure they're correctly implementing important things - such as security protocols - is VERY important!
I bought a new MacBook Pro earlier this year, and if my Apple Watch is unlocked, when I open up my laptop, it unlocks automatically. The laptop also has a fingerprint reader, but I never use it. My 2015 iMac also unlocks to my Watch - most of the time. It's pretty cool stuff. But if my Watch is off my wrist charging or in the case of my iMac, it just is feeling like being a bit troublesome, I can always enter my password manually.
As I have said many times before, and am sure that I'll be saying many times again, computer security is hard! It only takes one vendor to screw up, and a whole platform line can be compromised.
https://www.theverge.com/2023/11/22/23972220/microsoft-windows-hello-fingerprint-authentication-bypass-security-vulnerability
https://tech.slashdot.org/story/23/11/22/144250/microsofts-windows-hello-fingerprint-authentication-has-been-bypassed
Microsoft did a good job on the library. It's widely regarded as being secure and does a good job of authenticating fingerprints. And that's not where the problem is. The top three fingerprint scanner readers did a bad job of implementing their software that talks to Microsoft's library, and therein is the flaw.
At a Microsoft security conference, "A Dell Inspiron 15, Lenovo ThinkPad T14, and Microsoft Surface Pro X all fell victim to fingerprint reader attacks, allowing the researchers to bypass the Windows Hello protection as long as someone was previously using fingerprint authentication on a device." Three very common machines, including one sold by Microsoft themselves - but containing parts made by other vendors.
This is where being hard-assed on your vendors to make sure they're correctly implementing important things - such as security protocols - is VERY important!
I bought a new MacBook Pro earlier this year, and if my Apple Watch is unlocked, when I open up my laptop, it unlocks automatically. The laptop also has a fingerprint reader, but I never use it. My 2015 iMac also unlocks to my Watch - most of the time. It's pretty cool stuff. But if my Watch is off my wrist charging or in the case of my iMac, it just is feeling like being a bit troublesome, I can always enter my password manually.
As I have said many times before, and am sure that I'll be saying many times again, computer security is hard! It only takes one vendor to screw up, and a whole platform line can be compromised.
https://www.theverge.com/2023/11/22/23972220/microsoft-windows-hello-fingerprint-authentication-bypass-security-vulnerability
https://tech.slashdot.org/story/23/11/22/144250/microsofts-windows-hello-fingerprint-authentication-has-been-bypassed
no subject
no subject
Does true security really exist? :o :o :o
Hugs, Jon
no subject
There's a saying in computer circles, that the only truly secure computer is in a locked room with no windows, disconnected from the internet, has no power cord, and is in the middle of a solid concrete block. Of course, such a computer is not very useful.
no subject
no subject
Yes ...
Of course it has. Anything electronic can be hacked. The only question is how hard it is to hack. The harder it is, the higher the payoff has to be. In this case? Very high payoff, of course people went after that until someone succeeded.
Biometrics are just passwords that you can't change as long as you wear that body. Think about the hassle caused by passwords that get exposed somehow, and then imagine not even being able to change the damn things.
Re: Yes ...
You're absolutely right, most anything can be hacked, it's just a question of time. It's just sad that these readers - including the ones used by Microsoft-branded devices - were so badly implemented that it wasn't hard to hack them. They're now finding that some facial recognition security systems can be hacked by color infrared printed photographs. Yeah, the worst thing is a biometric that is tied directly to you, is irrevocable, and the mechanism gets compromised. Fingerprints have two additional problems: they're not 100% unique, and some people don't have 'em! Retina scans? Your retinas change over time.
Re: Yes ...
Hardly a surprise.
>> Yeah, the worst thing is a biometric that is tied directly to you, is irrevocable, and the mechanism gets compromised. <<
Exactly.
>> Fingerprints have two additional problems: they're not 100% unique, and some people don't have 'em! <<
A problem made worse by lazy computing, because they don't compare the whole print. They just look for a handful of points. I wouldn't be satisfied unless the number of points meant the chance of duplication by two different people was 1 in 16 billion: that is, double the number of humans on Earth. That seems reasonably precise.
>> Retina scans? Your retinas change over time.<<
Well, at least that one expires eventually.
People are stupid, and then other folks get stuck with the consequences of their bad decisions. It may not be possible to avoid all biometrics, but one can at least avoid them in places where one's consent is required.