The Register® — Biting the hand that feeds IT

Feeds

UPEK fingerprint scanners insecure, says Elcomsoft

Dell, Acer, ASUS, Lenovo, Samsung, Sony and Toshiba may use holey biometric kit

By Richard Chirgwin, 6th September 2012
  • print
  • alert

Cloud based data management

Spines in laptop vendor-land are shivering right now with the news that fingerprint scanners from UPEK take users’ Windows passwords and dumps them in near-plain-text in the registry.

The security howler was turned up in the UPEK Protector Suite, which until recently shipped with laptops using the company’s scanners. While the software was replaced following the merger of UPEK and Authentec, Elcomsoft’s post notes that most users will not have installed the new software.

“UPEK’s implementation is nothing but a big, glowing security hole compromising (and effectively destroying) the entire security model of Windows accounts,” wrote Elcomsoft’s Olga Koksharova.

“Windows itself never stores account passwords unless you enable “automatic login”, which is discouraged by Microsoft,” she wrote, however: “After analyzing a number of laptops equipped with UPEK fingerprint readers and running UPEK Protector Suite, we found that your Windows account passwords are stored in Windows registry almost in plain text, barely scrambled but not encrypted.”

Elcomsoft identifies Dell, Acer, ASUS, Gateway, Lenovo, MSI, Samsung, Sony, NEC, Toshiba and others as current or former UPEK customers. Lenovo says in a support forum post that it is investigating the issue; The Register’s searches of the other vendors’ sites doesn’t turn up any other responses as yet.

There are two requirements for the vulnerability to be exploited: the user has to be using the fingerprint scanner as their default Windows login, and an attacker would need physical access to the machine. Elcomsoft recommends that users disable “Windows login” in the UPEK Protector Suite. ®

Regcast training : Hyper-V 3.0, VM high availability and disaster recovery

COMMENTS

House Rules Send Corrections
All Reader Comments (13)
Highly Rated
Anonymous Coward
Anonymous Coward
Reply Icon

Re: Hold on there...

If you read the original article they don't say that physical access is required, only that that is the what they used to extract the encoded passwords. There is no indication that you couldn't achieve the same results by using a trojan or remote code execution vulnerability (in fact they say they have PoC code that they will give to journalists, which strongly suggests you only need to run a program rather than mess with hardware).

4
0
Anonymous Coward
Anonymous Coward
Reply Icon

Re: Hold on there...

"...Programs don't need admin privileges to read an arbitrary Registry key, only to write one..."

The Registry is fully ACLed, you can let any user or none have any level of access you want to any single Registry key. If this is implemented or not is another matter, but in the days when the USB port wasn't that easily disabled, the company I worked for had a usb_denied global group, which was set to have no access to a couple of registry keys, which prevented any USB storage being mounted.

2
0
dajames
Reply Icon

Re: Hold on there...

Lacking a more technical explanation, I don't really know what to make of this.

Windows security has traditionally depended on passwords. What UPEK's software apparently does is to identify a user by his fingerprint, and then look up the (lightly scrambled) password in the registry in order to use it to log in. Having logged in the user is then able to use the PC and to connect to other computers in Windows domains, etc., as though he'd logged in with a password.

Note that if you have physical access to someone's PC then you can whip the hard drive out and read it on another PC to get to their data ... but if they have used the Windows Encrypted File System to protect their data you will need their password in order to gain access to their keys and decrypt their data. This is the real weakness that is created by UPEK's folly.

Windows 7 has a new chunk of functionality called the Windows Biometric Framework which is supposed to make it possible to use a biometric instead of a password to authenticate a user to Windows, but that isn't present in Vista or XP, and the kludgey thing with the stored password is an easy alternative.

2
0

More from The Register

breaking news
Number of cops abusing Police National Computer access on the rise
Only a telegram from the Queen can get you off it
136
breaking news
NSA PRISM snoop-gate: Won't someone think of the children, wails Apple
10,000 things probed, mostly about missing kids, Alzheimer patients, we're told
96
Flash flaw potentially makes every webcam or laptop a PEEPHOLE
But it's a Google problem - Chrome only, insists Adobe
61
Internet fraud still stings suckers
Australians twice as gullible as Americans
36
breaking news
NSA PRISM-gate: Relax, GCHQ spooks 'keep us safe', says Cameron
Whatever they are up to, it's all above board, we're told
90
breaking news
Yahoo! joins! rivals! in! PRISM! data! request! admission!
Keep calm and carry on using American tech firms, folks
41
PRISM snitch claims NSA hacked Chinese targets since 2009
Snowden suddenly looks safer in Hong Kong after revelations
33
breaking news
US chief spook: Look, we only want to spy on 6.66 BEELLLION of you
Americans assured they are not in the NSA's sights
68
Speech-to-text drives motorists to distraction
Will talking to you mean I crash into that car up ahead, Siri?
30
DHS warns of vulns in hospital medical equipment
Has your doctor's anasthesia machine been hacked?
17