![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
So here's the thing. When you're dealing with a fingerprint reader, you've got multiple things interfacing. You've got the operating system, you've got the security library interfacing between the OS and fingerprint reader, and you've got the fingerprint reader.
Microsoft did a good job on the library. It's widely regarded as being secure and does a good job of authenticating fingerprints. And that's not where the problem is. The top three fingerprint scanner readers did a bad job of implementing their software that talks to Microsoft's library, and therein is the flaw.
At a Microsoft security conference, "A Dell Inspiron 15, Lenovo ThinkPad T14, and Microsoft Surface Pro X all fell victim to fingerprint reader attacks, allowing the researchers to bypass the Windows Hello protection as long as someone was previously using fingerprint authentication on a device." Three very common machines, including one sold by Microsoft themselves - but containing parts made by other vendors.
This is where being hard-assed on your vendors to make sure they're correctly implementing important things - such as security protocols - is VERY important!
I bought a new MacBook Pro earlier this year, and if my Apple Watch is unlocked, when I open up my laptop, it unlocks automatically. The laptop also has a fingerprint reader, but I never use it. My 2015 iMac also unlocks to my Watch - most of the time. It's pretty cool stuff. But if my Watch is off my wrist charging or in the case of my iMac, it just is feeling like being a bit troublesome, I can always enter my password manually.
As I have said many times before, and am sure that I'll be saying many times again, computer security is hard! It only takes one vendor to screw up, and a whole platform line can be compromised.
https://www.theverge.com/2023/11/22/23972220/microsoft-windows-hello-fingerprint-authentication-bypass-security-vulnerability
https://tech.slashdot.org/story/23/11/22/144250/microsofts-windows-hello-fingerprint-authentication-has-been-bypassed
Microsoft did a good job on the library. It's widely regarded as being secure and does a good job of authenticating fingerprints. And that's not where the problem is. The top three fingerprint scanner readers did a bad job of implementing their software that talks to Microsoft's library, and therein is the flaw.
At a Microsoft security conference, "A Dell Inspiron 15, Lenovo ThinkPad T14, and Microsoft Surface Pro X all fell victim to fingerprint reader attacks, allowing the researchers to bypass the Windows Hello protection as long as someone was previously using fingerprint authentication on a device." Three very common machines, including one sold by Microsoft themselves - but containing parts made by other vendors.
This is where being hard-assed on your vendors to make sure they're correctly implementing important things - such as security protocols - is VERY important!
I bought a new MacBook Pro earlier this year, and if my Apple Watch is unlocked, when I open up my laptop, it unlocks automatically. The laptop also has a fingerprint reader, but I never use it. My 2015 iMac also unlocks to my Watch - most of the time. It's pretty cool stuff. But if my Watch is off my wrist charging or in the case of my iMac, it just is feeling like being a bit troublesome, I can always enter my password manually.
As I have said many times before, and am sure that I'll be saying many times again, computer security is hard! It only takes one vendor to screw up, and a whole platform line can be compromised.
https://www.theverge.com/2023/11/22/23972220/microsoft-windows-hello-fingerprint-authentication-bypass-security-vulnerability
https://tech.slashdot.org/story/23/11/22/144250/microsofts-windows-hello-fingerprint-authentication-has-been-bypassed
