Feeds

UPEK fingerprint scanners insecure, says Elcomsoft

Dell, Acer, ASUS, Lenovo, Samsung, Sony and Toshiba may use holey biometric kit

Top three mobile application threats

Spines in laptop vendor-land are shivering right now with the news that fingerprint scanners from UPEK take users’ Windows passwords and dumps them in near-plain-text in the registry.

The security howler was turned up in the UPEK Protector Suite, which until recently shipped with laptops using the company’s scanners. While the software was replaced following the merger of UPEK and Authentec, Elcomsoft’s post notes that most users will not have installed the new software.

“UPEK’s implementation is nothing but a big, glowing security hole compromising (and effectively destroying) the entire security model of Windows accounts,” wrote Elcomsoft’s Olga Koksharova.

“Windows itself never stores account passwords unless you enable “automatic login”, which is discouraged by Microsoft,” she wrote, however: “After analyzing a number of laptops equipped with UPEK fingerprint readers and running UPEK Protector Suite, we found that your Windows account passwords are stored in Windows registry almost in plain text, barely scrambled but not encrypted.”

Elcomsoft identifies Dell, Acer, ASUS, Gateway, Lenovo, MSI, Samsung, Sony, NEC, Toshiba and others as current or former UPEK customers. Lenovo says in a support forum post that it is investigating the issue; The Register’s searches of the other vendors’ sites doesn’t turn up any other responses as yet.

There are two requirements for the vulnerability to be exploited: the user has to be using the fingerprint scanner as their default Windows login, and an attacker would need physical access to the machine. Elcomsoft recommends that users disable “Windows login” in the UPEK Protector Suite. ®

Combat fraud and increase customer satisfaction

Whitepapers

Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Mainstay ROI - Does application security pay?
In this whitepaper learn how you and your enterprise might benefit from better software security.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.