Hardware security hackers have detailed how it’s possible to bypass Windows Hello’s fingerprint authentication and login as someone else – if you can steal or be left alone with their vulnerable device.

The research was carried out by Blackwing Intelligence, primarily Jesse D’Aguanno and Timo Teräs, and was commissioned and sponsored by Microsoft’s Offensive Research and Security Engineering group. The pair’s findings were presented at the IT giant’s BlueHat conference last month, and made public this week. You can watch the duo’s talk below, or dive into the details in their write-up here.

For users and administrators: be aware your laptop hardware may be physically insecure and allow fingerprint authentication to be bypassed if the equipment falls into the wrong hands. We’re not sure how that can be fixed without replacing the electronics or perhaps updating the drivers and/or firmware within the fingerprint sensors. One of the researchers told us: “It’s my understanding from Microsoft that the issues were addressed by the vendors.” So check for updates or errata. We’ve asked the manufacturers named below for comment, and we will keep you updated.

For device makers: check out the above report to make sure you’re not building these design flaws into your products. Oh, and answer our emails.

The research focuses on bypassing Windows Hello’s fingerprint authentication on three laptops: a Dell Inspiron 15, a Lenovo ThinkPad T14, and a Microsoft Surface Pro 8/X, which were using fingerprint sensors from Goodix, Synaptics, and ELAN, respectively. All three were vulnerable in different ways. As far as we can tell, this isn’t so much a problem with Windows Hello or using fingerprints. It’s more due to shortcomings or oversights with the communications between the software side and the hardware.

Windows Hello allows users to log into the OS using their fingerprint. This fingerprint is stored within the sensor chipset. What’s supposed to happen, simply put, is that when you want to set up your laptop to use your print, the OS generates an ID and passes that to the sensor chip. The chip reads the user’s fingerprint, and stores the print internally, associating it with the ID number. The OS then links that ID with your user account.

Then when you come to login, the OS asks you to present your finger, the sensor reads it, and if it matches a known print, the chips sends the corresponding ID to the operating system, which then grants you access to the account connected to that ID number. The physical communication between the chip and OS involves cryptography to, ideally, secure this authentication method from attackers.

But blunders in implementing this system have left at least the above named devices vulnerable to unlocking – provided one can nab the gear long enough to connect some electronics.

“In all, this research took approximately three months and resulted in three 100 percent reliable bypasses of Windows Hello authentication,” Blackwing’s D’Aguanno and Teräs wrote on Tuesday.

Here’s a summary of the techniques used and described by the infosec pair:

• • Model: Dell Inspiron 15
  • Method: If someone can boot the laptop into Linux, they can use the sensor’s Linux driver to enumerate from the sensor chip the ID numbers associated with known fingerprints. That miscreant can then store in the chip their own fingerprint with an ID number identical to the ID number of the Windows user they want to login as. The chip stores this new print-ID association in an internal database associated with Linux; it doesn’t overwrite the existing print-ID association in its internal database for Windows.

    The attacker then attaches a man-in-the-middle (MITM) device between the laptop and the sensor, and boots into Windows. The Microsoft OS sends some non-authenticated configuration data to the chip. Crucially, the MITM electronics rewrites that config data on the fly to tell the chip to use the Linux database, and not the Windows database, for fingerprints. Thus when the miscreant next touches their finger to the reader, the chip will recognize the print, return the ID number for that print from the Linux database, which is the same ID number associated with a Windows user, and Windows will log the attacker in as that user.

  • Model: Lenovo ThinkPad T14
  • Method: The attack used against the ThinkPad is similar to the one above. While the Dell machine uses Microsoft’s Secure Device Connection Protocol (SDCP) between the OS and the chip, the T14 uses TLS to secure the connection. This can be undermined to again, using Linux, add a fingerprint with an ID associated with a Windows user, and once booted back into Windows, login as that user using the new fingerprint.
  • Model: Microsoft Surface Pro 8 / X Type Cover with Fingerprint ID
  • Method: This is the worst. There is no security between the chip and OS at all, so the sensor can be replaced with anything that can masquerade as the chip and simply send a message to Windows saying: Yup, log that user in. And it works. Thus an attacker can log in without even presenting a fingerprint.

Interestingly enough, D’Aguanno told us restarting the PC with Linux isn’t required for exploitation – a MITM device can do the necessary probing and enrollment of a fingerprint itself while the computer is still on – so preventing the booting of non-Windows operating systems, for instance, won’t be enough to stop a thief. The equipment can be hoodwinked while it’s still up and running.

“Booting to Linux isn’t actually required for any of our attacks,” D’Aguanno told us. “On the Dell (Goodix) and ThinkPad (Synaptics), we can simply disconnect the fingerprint sensor and plug into our own gear to attack the sensors. This can also be done while the machine is on since they’re embedded USB, so they can be hot plugged.”

In that scenario, “Bitlocker wouldn’t affect the attack,” he added.

As to what happens if the stolen machine is powered off completely, and has a BIOS password, full-disk encryption, or some other pre-boot authentication, exploitation isn’t as straight forward or perhaps even possible: you’d need to get the machine booted far enough into Windows for the Blackwing team’s fingerprint bypass to work. The described techniques may work against BIOSes that check for fingerprints to proceed with the startup sequence.

“If there’s a password required to boot the machine, and the machine is off, then that could stop this just by nature of the machine not booting to the point where fingerprint authentication is available,” D’Aguanno clarified to us.

“However, at least one of the implementations allows you to use fingerprint authentication for BIOS boot authentication, too. Our focus was on the impact to Windows Hello, though, so we did not investigate that further at this point, but that may be able to be exploited too.”

The duo also urged manufacturers to use SDCP and enable to connect sensor chips to Windows: “It doesn’t help if it’s not turned on.”

They also promised to provide more details about the vulnerabilities they exploited in all three targets in future, and were obviously circumspect in giving away too many details that could be used to crack kit.

Source: How to bypass Windows Hello, log into vulnerable laptops • The Register

Commercial air crews are reporting something “unthinkable” in the skies above the Middle East: novel “spoofing” attacks have caused navigation systems to fail in dozens of incidents since September.

In late September, multiple commercial flights near Iran went astray after navigation systems went blind. The planes first received spoofed GPS signals, meaning signals designed to fool planes’ systems into thinking they are flying miles away from their real location. One of the aircraft almost flew into Iranian airspace without permission. Since then, air crews discussing the problem online have said it’s only gotten worse, and experts are racing to establish who is behind it.

OPSGROUP, an international group of pilots and flight technicians, sounded the alarm about the incidents in September and began to collect data to share with its members and the public. According to OPSGROUP, multiple commercial aircraft in the Middle Eastern region have lost the ability to navigate after receiving spoofed navigation signals for months. And it’s not just GPS—fallback navigation systems are also corrupted, resulting in total failure.

According to OPSGROUP, the activity is centered in three regions: Baghdad, Cairo, and Tel Aviv. The group has tracked more than 50 incidents in the last five weeks, the group said in a November update, and identified three new and distinct kinds of navigation spoofing incidents, with two arising since the initial reports in September.

While GPS spoofing is not new, the specific vector of these new attacks was previously “unthinkable,” according to OPSGROUP, which described them as exposing a “fundamental flaw in avionics design.” The spoofing corrupts the Inertial Reference System, a piece of equipment often described as the “brain” of an aircraft that uses gyroscopes, accelerometers, and other tech to help planes navigate. One expert Motherboard spoke to said this was “highly significant.”

“This immediately sounds unthinkable,” OPSGROUP said in its public post about the incidents. “The IRS (Inertial Reference System) should be a standalone system, unable to be spoofed. The idea that we could lose all on-board nav capability, and have to ask [air traffic control] for our position and request a heading, makes little sense at first glance— especially for state of the art aircraft with the latest avionics. However, multiple reports confirm that this has happened.”

Signal jamming in the Middle East is common, but this kind of powerful spoofing is new. According to Todd Humphreys, a UT Austin professor who researches satellite communications, extremely powerful signal jammers have been present in the skies near Syria since 2018. “Syria was called ‘the most aggressive electronic warfare environment on the planet’ by the head of [U.S. Special Operations Command],” Humphreys told Motherboard.

[…]

“Apart from run-of-the-mill jamming (e.g., with chirp jammers), we have captured GPS spoofing signals in our radio trawling,” he said. “But, interestingly, the spoofing signals never seemed to be complete. They were either missing key internal data, or were not mutually consistent, and so would not have fooled a GPS receiver. They seemed to be aimed at denial of service rather than actual deception. My students and I came to realize that spoofing is the new jamming. In other words, it is being used for denial of service because it’s more effective for that purpose than blunt jamming.”

[…]

“The GPS and IRS, and their redundant backups, are the principal components of modern aircraft navigation systems,” Humphreys said. “When their readings are corrupted, the Flight Management System assumes an incorrect aircraft position, Synthetic Vision systems show the wrong context, etc. Eventually, if the pilots figure out that something is amiss, they can revert to [VHF omnidirectional range]/ [distance measure equipment] over land. But in several recent cases, air traffic control had to step in and directly provide pilots ‘vectors’ (over an insecure communications channel) to guide them to their destination. That’s not a scalable solution.”

[…]

“It shows that the inertial reference systems that act as dead-reckoning backups in case of GPS failure are no backup at all in the face of GPS spoofing because the spoofed GPS receiver corrupts the IRS, which then dead reckons off the corrupted position,” he told Motherboard. “What is more, redundant GPS receivers and IRSs (large planes have 2+ GPS receivers and 3+ IRS) offer no additional protection: they all get corrupted.”

Humphreys and others have been sounding the alarm about an attack like this occurring for the past 15 years. In 2012, he testified by Congress about the need to protect GNSS from spoofing. “GPS spoofing acts like a zero-day exploit against aviation systems,” he told Motherboard. “They’re completely unprepared for it and powerless against it.”

[…]

The entities behind the novel spoofing attacks are unknown, but Humphreys said that he and a student have narrowed down possible sources. “Using raw GPS measurements from several spacecraft in low-Earth orbit, my student Zach Clements last week located the source of this spoofing to the eastern periphery of Tehran,” he said.

Iran would not be the only country spoofing GPS signals in the region. As first reported by Politico, Clements was the first to identify spoofing most likely coming from Israel after Hamas’ Oct. 7 attacks. “The strong and persistent spoofing we’re seeing over Israel since around October 15 is almost certainly being carried out by Israel itself,” Humprheys said. “The IDF effectively admitted as much to a reporter with Haartz.” Humphreys said at the time that crews experiencing this GPS spoofing could rely on other onboard instruments to land.

Humphreys said the effects of the Israeli spoofing are identical to those observed in late September near Iran. “And these are the first clear-cut cases of GPS spoofing of commercial aircraft ever, to my knowledge,” he said. “That they happened so close in time is surprising, but possibly merely coincidental.”

Source: Commercial Flights Are Experiencing ‘Unthinkable’ GPS Attacks and Nobody Knows What to Do

Google’s Threat Analysis Group revealed on Thursday that it discovered and worked to help patch an email server flaw used to steal data from governments in Greece, Moldova, Tunisia, Vietnam and Pakistan. The exploit, known as CVE-2023-37580, targeted email server Zimbra Collaboration to pilfer email data, user credentials and authentication tokens from organizations.

It started in Greece at the end of June. Attackers that discovered the vulnerability and sent emails to a government organization containing the exploit. If someone clicked the link while logged into their Zimbra account, it automatically stole email data and set up auto-forwarding to take control of the address.

While Zimbra published a hotfix on open source platform Github on July 5, most of the activity deploying the exploit happened afterward. That means targets didn’t get around to updating the software with the fix until it was too late. It’s a good reminder to update the devices you’ve been ignoring now, and ASAP as more updates become available. “These campaigns also highlight how attackers monitor open-source repositories to opportunistically exploit vulnerabilities where the fix is in the repository, but not yet released to users,” the Google Threat Analysis Group wrote in a blog post.

Around mid-July, it became clear that threat group Winter Vivern got ahold of the exploit. Winter Vivern targeted government organizations in Moldova and Tunisia. Then, a third unknown actor used the exploit to phish for credentials from members of the Vietnam government. That data got published to an official government domain, likely run by the attackers. The final campaign Google’s Threat Analysis Group detailed targeted a government organization in Pakistan to steal Zimbra authentication tokens, a secure piece of information used to access locked or protected information.

Zimbra users were also the target of a mass-phishing campaign earlier this year. Starting in April, an unknown threat actor sends an email with a phishing link in an HTML file, according to ESET researchers. Before that, in 2022, threat actors used a different Zimbra exploit to steal emails from European government and media organizations.

As of 2022, Zimbra said it had more than 200,000 customers, including over 1,000 government organizations. “The popularity of Zimbra Collaboration among organizations expected to have lower IT budgets ensures that it stays an attractive target for adversaries,” ESET researchers said about why attackers target Zimbra.

Source: An email vulnerability let hackers steal data from governments around the world

affiliates of ransomware gang AlphV (aka BlackCat) claimed to have compromised digital lending firm MeridianLink – and reportedly filed an SEC complaint against the fintech firm for failing to disclose the intrusion to the US watchdog.

First reported by DataBreaches, the break-in apparently happened on November 7. AlphaV’s operatives claimed they did not encrypt any files but did steal some data – and MeridianLink was allegedly aware of the intrusion the day it occurred.

In screenshots shared with The Register and posted on social media, the AlphaV SEC submission claims MeridianLink made a “material misstatement or omission” in its filings and financial statements, “or a failure to file.”

The thoughtful folks at AlphV asserted they are simply filing the paperwork for MeridianLink – and giving it “24 hours before we publish the data in its entirety.”

The Register asked the SEC about the AlphV complaint. “We decline to comment,” the spokesperson replied.

Source: Clorox CISO flushes self after multi-million-dollar attack • The Register