戴尔、联想、微软笔记本新漏洞：绕过Windows Hello登录

A new research has uncovered multiple vulnerabilities that could be exploited to bypass Windows Hello authentication on Dell Inspiron 15, Lenovo ThinkPad T14, and Microsoft Surface Pro X laptops.

一项新的研究发现了多个漏洞，可以被利用来绕过戴尔Inspiron 15、联想ThinkPad T14和微软Surface Pro X笔记本电脑上的Windows Hello身份验证。

The flaws were discovered by researchers at hardware and software product security and offensive research firm Blackwing Intelligence, who found the weaknesses in the fingerprint sensors from Goodix, Synaptics, and ELAN that are embedded into the devices.

这些漏洞是由硬件和软件产品安全以及攻击性研究公司Blackwing Intelligence的研究人员发现的，他们在嵌入式到设备中的Goodix、Synaptics和ELAN的指纹传感器中发现了弱点。

A prerequisite for fingerprint reader exploits is that the users of the targeted laptops have fingerprint authentication already set up.

指纹识别仪利用的一个先决条件是被攻击笔记本的用户已经设置了指纹身份验证。

All the fingerprint sensors are a type of sensor called "match on chip" (MoC), which integrates the matching and other biometric management functions directly into the sensor's integrated circuit.

所有指纹传感器都属于一种称为“芯片匹配”（MoC）的传感器类型，它将匹配和其他生物识别管理功能直接集成到传感器的集成电路中。

"While MoC prevents replaying stored fingerprint data to the host for matching, it does not, in itself, prevent a malicious sensor from spoofing a legitimate sensor's communication with the host and falsely claiming that an authorized user has successfully authenticated," researchers Jesse D'Aguanno and Timo Teräs said.

研究人员Jesse D'Aguanno和Timo Teräs表示：“虽然MoC防止重播已存储的指纹数据以进行匹配，但它本身并不阻止恶意传感器欺骗合法传感器与主机的通信，并错误地声称授权用户已成功验证。”

The MoC also does not prevent replay of previously recorded traffic between the host and sensor.

MoC也不能阻止之前记录的主机和传感器之间的流量重放。

Although the Secure Device Connection Protocol (SDCP) created by Microsoft aims to alleviate some of these problems by creating an end-to-end secure channel, the researchers uncovered a novel method that could be used to circumvent these protections and stage adversary-in-the-middle (AitM) attacks.

尽管微软创建的安全设备连接协议（SDCP）旨在减轻这些问题，但研究人员发现了一种新颖的方法，可以用于规避这些保护措施并发动中间人攻击。

Specifically, the ELAN sensor was found to be vulnerable to a combination of sensor spoofing stemming from the lack of SDCP support and cleartext transmission of security identifiers (SIDs), thereby allowing any USB device to masquerade as the fingerprint sensor and claim that an authorized user is logging in.

具体来说，ELAN传感器被发现对来自未支持SDCP的传感器欺骗和安全标识符（SIDs）的明文传输的组合漏洞脆弱，从而允许任何USB设备冒充指纹传感器，并声称授权用户正在登录。

In the case of Synaptics, not only was SDCP discovered to be turned off by default, the implementation chose to rely on a flawed custom Transport Layer Security (TLS) stack to secure USB communications between the host driver and sensor that could be weaponized to sidestep biometric authentication.

而在Synaptics的情况下，SDCP不仅被发现默认关闭，而且实现选择依赖有缺陷的自定义传输层安全（TLS）堆栈来保护主机驱动程序和传感器之间的USB通信，这可能被用来绕过生物识别身份验证。

The exploitation of Goodix sensor, on the other hand, capitalizes on a fundamental difference in enrollment operations carried out on a machine that's loaded with both Windows and Linux, taking advantage of the fact that the latter does not support SDCP to perform the following actions -

另一方面，Goodix传感器的利用利用的是在装有Windows和Linux的机器上进行的注册操作的基本差异，利用了后者不支持SDCP来执行以下操作：

• Boot to Linux

进入Linux




• Enumerate valid IDs

枚举有效的ID




• Enroll attacker's fingerprint using the same ID as a legitimate Windows user

使用与合法Windows用户相同的ID注册攻击者的指纹




• MitM the connection between the host and sensor by leveraging the cleartext USB communication

利用明文USB通信进行主机与传感器之间的中间人攻击




• Boot to Windows

切换到Windows




• Intercept and rewrite the configuration packet to point to the Linux DB using our MitM

拦截和重写配置包以指向Linux数据库使用我们的中间人




• Login as the legitimate user with attacker's print

用攻击者的指纹登录合法用户

It's worth pointing out that while the Goodix sensor has separate fingerprint template databases for Windows and non-Windows systems, the attack is possible owing to the fact that the host driver sends an unauthenticated configuration packet to the sensor to specify what database to use during sensor initialization.

值得指出的是，虽然Goodix传感器为Windows和非Windows系统分别拥有独立的指纹模板数据库，但由于主机驱动程序向传感器发送未经身份验证的配置包以指定传感器初始化期间要使用的数据库，因此该攻击是可能的。

To mitigate such attacks, it's recommended that original equipment manufacturers (OEMs) enable SDCP and ensure that the fingerprint sensor implementation is audited by independent qualified experts.

为了减轻此类攻击，建议原始设备制造商（OEM）启用SDCP并确保指纹传感器实施由独立合格专家审计。

This isn't the first time that Windows Hello biometrics-based authentication has been successfully defeated. In July 2021, Microsoft issued patches for a medium-severity security flaw (CVE-2021-34466, CVSS score: 6.1) that could permit an adversary to spoof a target's face and get around the login screen.

这并不是Windows Hello基于生物识别的身份验证第一次被成功击败。2021年7月，微软发布了一项中等严重性安全漏洞的补丁，可以允许对手欺骗目标的面部，并绕过登录界面。

"Microsoft did a good job designing SDCP to provide a secure channel between the host and biometric devices, but unfortunately device manufacturers seem to misunderstand some of the objectives," the researchers said.

研究人员表示：“微软在设计SDCP提供主机与生物识别设备之间的安全通道方面做得很好，但不幸的是，设备制造商似乎误解了一些目标。”

"Additionally, SDCP only covers a very narrow scope of a typical device's operation, while most devices have a sizable attack surface exposed that is not covered by SDCP at all."

“此外，SDCP仅涵盖了典型设备操作的非常有限范围，而大多数设备暴露了一些SDCP根本没覆盖的相当大的攻击面。”

原文始发于微信公众号（知机安全）：戴尔、联想、微软笔记本新漏洞：绕过Windows Hello登录