{"id":263281,"date":"2023-11-27T04:08:20","date_gmt":"2023-11-27T09:08:20","guid":{"rendered":"https:\/\/sftarticles.wpenginepowered.com\/en\/?p=263281"},"modified":"2025-07-01T17:33:01","modified_gmt":"2025-07-02T00:33:01","slug":"dell-lenovo-microsoft-fingerprint-sensor-vulnerabilities-on-leading-laptops","status":"publish","type":"post","link":"https:\/\/cms-articles.softonic.io\/en\/dell-lenovo-microsoft-fingerprint-sensor-vulnerabilities-on-leading-laptops\/","title":{"rendered":"Dell, Lenovo, Microsoft\u2026 Fingerprint sensor vulnerabilities on leading laptops"},"content":{"rendered":"\n<p class=\"wp-block-paragraph\">In a recent investigation, a team from Blackwing Intelligence uncovered significant vulnerabilities in the fingerprint sensors of popular laptop models including the Dell Inspiron, Lenovo ThinkPad, and Microsoft Surface Pro X. This discovery was part of a project initiated by Microsoft&#8217;s Offensive Research and Security Engineering (MORSE), focusing on the integrity of widely used embedded fingerprint sensors in Windows Hello authentication systems.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The research effort, led by Blackwing&#8217;s Jesse D&#8217;Aguanno and Timo Ter\u00e4s, concentrated on the embedded fingerprint sensors produced by ELAN, Synaptics, and Goodix. These sensors, integral to the security mechanisms of the Microsoft Surface Pro X, Lenovo ThinkPad T14, and <a href=\"https:\/\/en.softonic.com\/articles\/dell-fire-template-everyone\" target=\"_blank\" rel=\"noopener\" title=\"\">Dell <\/a>Inspiron 15, were found to have exploitable flaws, raising questions about the robustness of biometric security in these devices.<\/p>\n\n\n\n<style>\n            .article-content .sc-card-affiliation-v2 * {\n                padding: 0;\n                margin: 0;\n            }\n\n            .article-content .sc-card-affiliation-v2 {\n                font-family: \"Inter\",\"Arial Fallback\", sans-serif;\n                padding: 24px 0 48px;\n                max-width: 680px;\n            }\n\n            .article-content .sc-card-affiliation-v2 strong {\n                font-weight: 700 !important;\n            }\n\n            .article-content .sc-card-affiliation-v2__content {\n                display: flex;\n                width: 100%;\n                padding: 12px;\n                flex-direction: column;\n                align-items: flex-start;\n                gap: 12px;\n                border-radius: 8px;\n                border: 1px solid #E0E0E0;\n                background: #FFF;\n                box-sizing: border-box;\n                align-items: center;                \n            }\n\n            @media (min-width: 60em) {\n                .article-content .sc-card-affiliation-v2__content {\n                    flex-direction: row;\n                }\n            }\n\n            .article-content .sc-card-affiliation-v2__image {\n                display: flex;\n                padding-bottom: 0px;\n                flex-direction: column;\n                align-items: center;\n                gap: 12px;\n                flex-shrink: 0;\n            }\n\n            @media (min-width: 60em) {\n                .article-content .sc-card-affiliation-v2__image {\n                    display: flex;\n                    padding-bottom: 0px;\n                    flex-direction: column;\n                    align-items: center;\n                    gap: 24px;\n                    flex-shrink: 0;\n                }\n            }\n\n            .article-content .sc-card-affiliation-v2__image>a img {\n                width: 112px;\n                height: 112px;\n            }\n\n            .article-content .sc-card-affiliation-v2__image .last-chance-img {\n                position: absolute;\n                padding: 2px 0;\n                width: 112px;\n                background-color: #ffB901;\n                font-size: 11px;  \n                font-weight: 700;            \n                text-align: center;    \n            }\n\n            .article-content .sc-card-affiliation-v2__body {\n                flex-direction: column;   \n            }\n\n            @media (min-width: 60em) {\n                .article-content .sc-card-affiliation-v2__body {\n                    display: flex;\n                    flex-direction: row;\n                    align-items: center;\n                    gap: 16px;\n                    width: 100%;\n                }\n            }\n\n            .article-content .sc-card-affiliation-v2__title {\n                display: block;\n                color:#3b3d40;\n                font-size: 1.25rem;\n                line-height: 140%;\n                text-decoration: none;\n                padding-bottom: 12px;\n            }\n\n            .article-content .sc-card-affiliation-v2__title span {\n                color: #FA1E4E;\n                font-weight: 700;\n            }\n\n            .article-content .sc-card-affiliation-v2__title:hover {\n                text-decoration: underline\n            }\n\n            .article-content .sc-card-affiliation-v2__text {\n                padding: 0;\n            }\n\n            .article-content .sc-card-affiliation-v2__text {\n                color: #3B3D40;\n                font-size: 0.75rem;\n                line-height: 140%;\n            }\n\n            .article-content .sc-card-affiliation-v2__text span {\n                font-weight: 700;\n            }\n\n            .article-content .sc-card-affiliation-v2__cta {\n                display: block;\n                white-space: nowrap;\n                text-align: center;\n                margin-left: auto;\n                margin-top: 24px;\n            }\n\n            @media (min-width: 60em) {\n                .article-content .sc-card-affiliation-v2__cta {\n                    margin-top: 0;\n                }\n            }\n\n            .article-content .sc-card-affiliation-v2__button {\n                display: block;\n                padding: 12px 16px;\n                color: #fff;\n                font-size: 1rem;\n                white-space: nowrap;\n                text-align: center;\n                text-transform: uppercase;\n                text-decoration: none;\n                background-color: #009e61;\n                border-radius: 8px;\n                font-weight: 700;\n                margin-left: auto;\n            }\n\n            .article-content .sc-card-affiliation-v2__button:hover, .article-content .sc-card-affiliation-v2__button:focus, .article-content .sc-card-affiliation-v2__button:active {\n                text-decoration: none;\n                background-color: #00805E;\n            }\n\n\n            .article-content .card-dark .sc-card-affiliation-v2__content {\n                background: radial-gradient(1766.88% 91.79% at 86.21% 50%, rgba(218, 29, 74, 0.25) 0%, rgba(218, 29, 74, 0.00) 100%), #1C213D;           \n            }\n\n            .article-content .card-dark .sc-card-affiliation-v2__title, .article-content .card-dark .sc-card-affiliation-v2__text  {\n                color: #fff;\n            }\n      \n        <\/style>\n <!-- BANNER 2 LIGHT -->\n    <div class=\"article-content\">\n        <div class=\"sc-card-affiliation-v2\">\n            <div class=\"sc-card-affiliation-v2__content\">\n                <div class=\"sc-card-affiliation-v2__image\">\n                    <a href=\"https:\/\/geni.us\/operaGX_editorial\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">\n                        <img decoding=\"async\" alt=\"Opera GX\" src=\"https:\/\/articles-img.sftcdn.net\/sft\/articles\/auto-mapping-folder\/sites\/3\/2023\/11\/opera.png\">\n                    <\/a>\n                <\/div>\n                <div class=\"sc-card-affiliation-v2__body\">\n                    <div class=\"sc-card-affiliation-v2__text\">\n                        <a href=\"https:\/\/geni.us\/operaGX_editorial\" class=\"sc-card-affiliation-v2__title\" target=\"_blank\" rel=\"nofollow noopener noreferrer\"><span>GAMER!<\/span> PLAY WITH <span>OPERA GX<\/span> AND <strong>SAVE 80% MORE RAM<\/strong> <\/a>\n                        <p class=\"sc-card-affiliation-v2__text\">A FREE Gaming Browser that consumes <strong>80% LESS RAM, Built-in FREE VPN, Twitch &#038; Discord integrated and much more!<\/strong><\/p>\n                    <\/div>\n                    <div class=\"sc-card-affiliation-v2__cta\">\n                        <a href=\"https:\/\/geni.us\/operaGX_editorial\" target=\"_blank\" class=\"sc-card-affiliation-v2__button\" rel=\"nofollow noopener noreferrer\">FREE DOWNLOAD<\/a>\n                    <\/div>\n                <\/div>\n            <\/div>\n        <\/div>\n    <\/div>\n    <!-- END BANNER 2 LIGHT -->\n\n\n\n<h2 class=\"wp-block-heading\">How researchers compromised these devices?<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">The fingerprint sensors in question, all being Match-on-Chip (MoC) varieties, are designed with their own microprocessor and storage. This design enables secure, internal fingerprint matching within the chip itself. However, a significant limitation emerged in this setup. <\/p>\n\n\n\n<p class=\"wp-block-paragraph\">While MoC sensors effectively prevent the misuse of stored fingerprint data for authentication, they are not inherently designed to block a compromised sensor from imitating the communication patterns of a legitimate sensor. This flaw could result in false signals of successful user authentication or the replay of past interactions between the sensor and the host system.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">In response to these potential vulnerabilities, Microsoft introduced the Secure Device Connection Protocol (SDCP). This protocol aimed to confirm the integrity and trustworthiness of the fingerprint device, as well as safeguard the data exchange between the fingerprint sensor and the host on these specific laptops.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Despite these measures, the researchers from Blackwing Intelligence managed to navigate around the Windows Hello authentication system on all three laptop models. They employed man-in-the-middle (MiTM) attacks, utilizing a custom setup involving a Raspberry Pi 4 running Linux. Their approach involved a mix of software and hardware reverse engineering, cracking cryptographic weaknesses in the Synaptics sensor&#8217;s custom TLS protocol, and deciphering and replicating proprietary communication protocols.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"574\" src=\"https:\/\/articles-img.sftcdn.net\/sft\/articles\/auto-mapping-folder\/sites\/3\/2023\/11\/security-1024x574.jpg\" alt=\"\" class=\"wp-image-263284\" srcset=\"https:\/\/articles-img.sftcdn.net\/auto-mapping-folder\/sites\/3\/2023\/11\/security-1024x574.jpg 1024w, https:\/\/articles-img.sftcdn.net\/auto-mapping-folder\/sites\/3\/2023\/11\/security-300x169.jpg 300w, https:\/\/articles-img.sftcdn.net\/auto-mapping-folder\/sites\/3\/2023\/11\/security-768x431.jpg 768w, https:\/\/articles-img.sftcdn.net\/auto-mapping-folder\/sites\/3\/2023\/11\/security-238x134.jpg 238w, https:\/\/articles-img.sftcdn.net\/auto-mapping-folder\/sites\/3\/2023\/11\/security-370x208.jpg 370w, https:\/\/articles-img.sftcdn.net\/auto-mapping-folder\/sites\/3\/2023\/11\/security-304x170.jpg 304w, https:\/\/articles-img.sftcdn.net\/auto-mapping-folder\/sites\/3\/2023\/11\/security-150x84.jpg 150w, https:\/\/articles-img.sftcdn.net\/auto-mapping-folder\/sites\/3\/2023\/11\/security.jpg 1200w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">In the case of the Dell and <a href=\"https:\/\/en.softonic.com\/articles\/lenovo-brings-back-flexible-phones-under-a-terrible-design\" target=\"_blank\" rel=\"noopener\" title=\"\">Lenovo<\/a> laptops, the security breach was accomplished through a method of identifying valid user IDs and substituting the attacker&#8217;s fingerprint for that of a legitimate Windows user. This was possible because the Synaptics sensor in these devices relied on a unique TLS stack for securing USB communication, rather than using Microsoft&#8217;s Secure Device Connection Protocol (SDCP).<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">For the Microsoft Surface device, which was equipped with an ELAN fingerprint sensor lacking SDCP safeguards, the situation was different. This sensor communicated in cleartext over USB and lacked authentication protocols. The researchers managed to imitate the fingerprint sensor by disconnecting the Surface&#8217;s Type Cover, which housed the sensor, and then sending valid login confirmations from this spoofed device.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The researchers pointed out a critical oversight in the implementation of security protocols by device manufacturers. &#8220;Microsoft did a good job designing SDCP to provide a secure channel between the host and biometric devices, but unfortunately device manufacturers seem to misunderstand some of the objectives,&#8221; they stated. They also highlighted a significant limitation of SDCP, noting, &#8220;Additionally, SDCP only covers a very narrow scope of a typical device\u2019s operation, while most devices have a sizable attack surface exposed that is not covered by SDCP at all.&#8221; This statement underscores the gap between the design and implementation of security measures in these devices.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"574\" src=\"https:\/\/articles-img.sftcdn.net\/sft\/articles\/auto-mapping-folder\/sites\/3\/2023\/11\/security_02-1024x574.jpg\" alt=\"\" class=\"wp-image-263285\" srcset=\"https:\/\/articles-img.sftcdn.net\/auto-mapping-folder\/sites\/3\/2023\/11\/security_02-1024x574.jpg 1024w, https:\/\/articles-img.sftcdn.net\/auto-mapping-folder\/sites\/3\/2023\/11\/security_02-300x169.jpg 300w, https:\/\/articles-img.sftcdn.net\/auto-mapping-folder\/sites\/3\/2023\/11\/security_02-768x431.jpg 768w, https:\/\/articles-img.sftcdn.net\/auto-mapping-folder\/sites\/3\/2023\/11\/security_02-238x134.jpg 238w, https:\/\/articles-img.sftcdn.net\/auto-mapping-folder\/sites\/3\/2023\/11\/security_02-370x208.jpg 370w, https:\/\/articles-img.sftcdn.net\/auto-mapping-folder\/sites\/3\/2023\/11\/security_02-304x170.jpg 304w, https:\/\/articles-img.sftcdn.net\/auto-mapping-folder\/sites\/3\/2023\/11\/security_02-150x84.jpg 150w, https:\/\/articles-img.sftcdn.net\/auto-mapping-folder\/sites\/3\/2023\/11\/security_02.jpg 1200w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">The investigation by Blackwing Intelligence revealed a critical oversight: the Secure Device Connection Protocol (SDCP), a key security feature, was not activated on two of the three laptops they examined. This finding led to a significant recommendation from the Blackwing team. They urged vendors of biometric authentication technologies to not only incorporate SDCP but also ensure it is actively enabled. The effectiveness of SDCP in deterring cyber attacks is nullified if it remains unused.<\/p>\n\n\n<div class=\"sc-card-program\">\r\n  <div class=\"sc-card-program__body\">\r\n    <div class=\"sc-card-program__row clearfix\">\r\n      <div class=\"sc-card-program__col-logo\">\r\n        <img decoding=\"async\" class=\"sc-card-program__img\" alt=\"Avast\" src=\"https:\/\/images.sftcdn.net\/images\/t_app-icon-s\/p\/2d9f9134-96d0-11e6-bf8f-00163ec9f5fa\/1408299994\/avast-Avast_Symbol_V2_Positive_Orange_256x256.png\" width=\"100px\" height=\"100px\">\r\n      <\/div>\r\n      <div class=\"sc-card-program__col-title\">\r\n        <span class=\"sc-card-program__title\">Avast<\/span>\r\n        <a class=\"sc-card-program__button sc-card-program-internal\" href=\"https:\/\/avast.en.softonic.com\/\" target=\"_self\" rel=\"noopener noreferrer\">DOWNLOAD<\/a>\r\n      <\/div>\r\n      <div class=\"sc-card-program__col-rating\">\r\n        <svg class=\"rating-score__content\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" version=\"1.1\" x=\"0\" y=\"0\" viewbox=\"0 0 50 50\" enable-background=\"new 0 0 50 50\" xml:space=\"preserve\"><path class=\"rating-score__background rating-score--good\" fill=\"none\" stroke-width=\"6\" stroke-miterlimit=\"10\" d=\"M40 40c8.3-8.3 8.3-21.7 0-30s-21.7-8.3-30 0 -8.3 21.7 0 30\"><\/path><path class=\"rating-score__value rating-score__value--0\" fill=\"none\" stroke-width=\"6\" stroke-dashoffset=\"0\" stroke-miterlimit=\"10\" d=\"M40 40c8.3-8.3 8.3-21.7 0-30s-21.7-8.3-30 0 -8.3 21.7 0 30\"><\/path><text class=\"rating-score__number\" content=\"\" text-anchor=\"middle\" transform=\"matrix(1 0 0 1 25 31.0837)\" data-auto=\"app-user-score\"><\/text><\/svg>\r\n      <\/div>\r\n    <\/div>\r\n    <div class=\"sc-card-program__row\">\r\n      <span class=\"sc-card-program__description\"><\/span>\r\n    <\/div>\r\n    <div class=\"sc-card-program__row\">\r\n      <img decoding=\"async\" class=\"sc-card-program__bigpic\" src=\"\" onerror=\"this.style.display='none'\">\r\n    <\/div>\r\n    <a class=\"sc-card-program__link track-link sc-card-program-internal\" href=\"https:\/\/avast.en.softonic.com\/\" target=\"_self\" rel=\"noopener noreferrer\"><\/a>\r\n  <\/div>\r\n<\/div>\n\n\n\n<p class=\"wp-block-paragraph\">Reflecting on the broader context of biometric security, Microsoft had previously shared some enlightening statistics. Three years ago, the tech giant reported a notable shift in user behavior on Windows 10 devices. The proportion of users opting for Windows Hello biometric login over traditional passwords <a href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2020\/12\/17\/a-breakthrough-year-for-passwordless-technology\/\" target=\"_blank\" rel=\"noopener\" title=\"\">had surged<\/a> to 84.7 percent, up from 69.4 percent in 2019. This marked increase underscores the growing reliance on biometric solutions for securing devices, making the findings of Blackwing Intelligence especially pertinent for both users and manufacturers.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>In a recent investigation, a team from Blackwing Intelligence uncovered significant vulnerabilities in the fingerprint sensors of popular laptop models including the Dell Inspiron, Lenovo ThinkPad, and Microsoft Surface Pro X. This discovery was part of a project initiated by Microsoft&#8217;s Offensive Research and Security Engineering (MORSE), focusing on the integrity of widely used embedded &hellip; <a href=\"https:\/\/cms-articles.softonic.io\/en\/dell-lenovo-microsoft-fingerprint-sensor-vulnerabilities-on-leading-laptops\/\" class=\"more-link\">Continue reading<span class=\"screen-reader-text\"> &#8220;Dell, Lenovo, Microsoft\u2026 Fingerprint sensor vulnerabilities on leading laptops&#8221;<\/span><\/a><\/p>\n","protected":false},"author":9290,"featured_media":263283,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":"","wpcf-pageviews":1},"categories":[1015],"tags":[2537],"usertag":[],"vertical":[],"content-category":[],"class_list":["post-263281","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-news","tag-app-subdomain-redirectionavast"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/cms-articles.softonic.io\/en\/wp-json\/wp\/v2\/posts\/263281","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/cms-articles.softonic.io\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cms-articles.softonic.io\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/cms-articles.softonic.io\/en\/wp-json\/wp\/v2\/users\/9290"}],"replies":[{"embeddable":true,"href":"https:\/\/cms-articles.softonic.io\/en\/wp-json\/wp\/v2\/comments?post=263281"}],"version-history":[{"count":1,"href":"https:\/\/cms-articles.softonic.io\/en\/wp-json\/wp\/v2\/posts\/263281\/revisions"}],"predecessor-version":[{"id":316141,"href":"https:\/\/cms-articles.softonic.io\/en\/wp-json\/wp\/v2\/posts\/263281\/revisions\/316141"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cms-articles.softonic.io\/en\/wp-json\/wp\/v2\/media\/263283"}],"wp:attachment":[{"href":"https:\/\/cms-articles.softonic.io\/en\/wp-json\/wp\/v2\/media?parent=263281"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cms-articles.softonic.io\/en\/wp-json\/wp\/v2\/categories?post=263281"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cms-articles.softonic.io\/en\/wp-json\/wp\/v2\/tags?post=263281"},{"taxonomy":"usertag","embeddable":true,"href":"https:\/\/cms-articles.softonic.io\/en\/wp-json\/wp\/v2\/usertag?post=263281"},{"taxonomy":"vertical","embeddable":true,"href":"https:\/\/cms-articles.softonic.io\/en\/wp-json\/wp\/v2\/vertical?post=263281"},{"taxonomy":"content-category","embeddable":true,"href":"https:\/\/cms-articles.softonic.io\/en\/wp-json\/wp\/v2\/content-category?post=263281"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}