Security boffin Jesse D'Aguanno and Timo Teras say that with varying degrees of reverse-engineering and using some external hardware, they fooled the Goodix fingerprint sensor in a Dell Inspiron 15, the Synaptic sensor in a Lenovo ThinkPad T14, and the ELAN sensor in one of Microsoft's own Surface Pro Type Covers.
While they tested three laptop models, these are the big names of fingerprint sensor makers.
Most Windows Hello-compatible fingerprint readers use "match on chip" sensors, meaning that the sensor has processors and storage that perform fingerprint scanning and matching independently without relying on the host PC's hardware.
A different weakness ultimately defeated each fingerprint sensor. The Dell laptop's Goodix fingerprint sensor implemented SCDP correctly in Windows but used no such protections in Linux. Connecting the fingerprint sensor to a Raspberry Pi 4, the team was able to exploit the Linux support plus "poor code quality" to enrol a new fingerprint that would allow entry into a Windows account.
The Synaptic and ELAN fingerprint readers used by Lenovo and Microsoft (respectively) were tiggered because while the sensors supported SCDP there were not enabled.
Synaptic's touchpad used a custom TLS implementation for communication that the Blackwing team could exploit, while the Surface fingerprint reader used cleartext communication over USB.
"Any USB device can claim to be the ELAN sensor (by spoofing its VID/PID) and simply claim that an authorized user is logging in," wrote D'Aguanno and Teras.
Blackwing recommends that all Windows Hello fingerprint sensors enable SCDP, the protocol Microsoft developed to prevent this exploit. PC makers should "have a qualified expert third party audit their implementation" to improve code quality and security.