Apple's soon-to-be-slurped securo firm shrugs off crypto warning

Windows passwords exposure confusion

High performance access to file storage

AuthenTec, the security firm that's the target of an $356m acquisition by Apple, has denied reports that possible cryptographic weaknesses in its fingerprint scanner software pose a risk to the security of laptops.

Apple's attempted slurp of the fingerprint-scanning firm, which also makes other security products, was announced in July, but Cupertino has yet to secure shareholder and regulatory approval for the deal.

UPEK (a firm acquired by AuthenTec in September 2010) supplies fingerprint readers to manufacturers including Acer, ASUS, Dell, Lenovo, Samsung, Sony, Toshiba and many others. The furore began after Russian password-cracking and auditing tools firm ElcomSoft announced recently that it had discovered flaws in the UPEK Protector Suite, a legacy but still widely used fingerprint reader software suite.

The package came pre-loaded onto many laptops prior to its replacement by AuthenTec's latest line of TrueSuite software. UPEK Protector Suite manages fingerprint-reading hardware, offering users the option of using a swipe of a finger instead of typing in Windows login passwords.

ElcomSoft claimed laptops equipped with UPEK fingerprint readers and running UPEK Protector Suite stored Windows account passwords in a "barely scrambled but not encrypted" form in the Windows registry. Elcomsoft is withholding details on this security weakness, at least pending a fix from AuthenTec.

Given physical access to a laptop running UPEK Protector Suite, "we could extract passwords to all user accounts with fingerprint-enabled logon", ElcomSoft warned in an advisory. Windows itself never stores account passwords unless users enable "automatic logon", which is discouraged by Microsoft.

Corporates often bar Windows auto-logon. By contrast, fingerprint logon is rarely, if ever, barred. However the alleged security shortcomings of UPEK Protector Suite have cast doubt over the general assumption that biometrics security is better then password security. "UPEK Protector Suite simply stores the original password to Windows account, making it possible for an intruder to obtain one," ElcomSoft warns, describing the approach as akin "introducing a paper link to a stainless steel chain".

ElcomSoft notes that hackers with physical access to a laptop would probably be able to get at files and folders anyway. But it says the "security weaknesses" supposedly added by the fingerprint reader software would mean hackers would also be able to read EFS-encrypted files, which are secured with a Windows account password.

The Russian firm is advising users of UPEK Protector Suite to disable the Windows logon feature.

You'd need a key-logging exploit, in which case you're screwed anyway

AuthenTec said on Friday that such measures were unnecessary. It downplayed the security weaknesses highlighted by ElcomSoft, arguing that (in practice) they would only be exploitable if a targeted laptop was contaminated with something akin to key-logger software, in which case hackers would already have complete control of a compromised machine anyway. Nonetheless, AuthenTec is promising an update to harden its AES key generation algorithm, which would be unnecessary if the implementation was already bullet-proof.

AuthenTec takes security seriously, which is why we contacted ElcomSoft shortly after their recent blog post which claimed that ProtectorSuite stores Windows passwords insecurely. AuthenTec evaluated ElcomSoft’s claims after they provided relevant information to the company last night. Based on the findings of our team:
  • ElcomSoft confirmed passwords stored in ProtectorSuite were AES encrypted as AuthenTec expected.
  • ElcomSoft has reverse-engineered the AES key generation algorithm in ProtectorSuite and written code that uses this information to unlock the AES encrypted storage

Any tool that were to use this code maliciously must be downloaded by a user and given administrator access rights to be effective – making it no more or less potent than widely available key loggers in harvesting personal information

In order to protect ProtectorSuite users in the event that ElcomSoft makes this code more widely available, AuthenTec is creating an update to ProtectorSuite with a hardened version of our AES key generation algorithm. We expect this new version of ProtectorSuite to be available on our website (www.authentec.com) for free download next week.

Users of ProtectorSuite with the Store To Device option available and enabled would not be affected, as keys are stored on the fingerprint sensor and are unique to each PC.

Elcomsoft's warning that UPEK Protector Suite stores Windows account passwords in a "barely scrambled but not encrypted" form in the Windows registry is world's apart from AuthenTec's assurance that this info is encrypted using AES and safe – providing users are not tricked into downloading an running a decryption utility.

However ElcomSoft is sticking by its guns.

El Reg approached Elcomsoft for comment on AuthenTec's rebuttal. Olga Koksharova, Elcomsoft's marketing director, reiterated the Russian firm's warning about the seriousness of the security shortcoming.

"There is a dangerous security vulnerability which is seriously aggravated by the fact that the security is designed particularly for laptops that are frequently shared among employees (or passed from one to another) and represent a very easy prey for thieves," Koksharova told El Reg. "We found that administrator rights grant you a complete access to all other fingerprint-protected accounts which by the way also makes EFS encryption (if there was any) pointless since the password is known.

"It is the second [another] question if these admin rights were assigned to you by default or if you got them somehow else. Moreover, you can simply take out the hard disk and plug it into another system and read the Registry data from there (provided there was no full-disk encryption)," she added.

More commentary on the rival – and hard to reconcile – claims by AuthenTec and ElcomSoft can be found in a blog post by Sophos here. ®

High performance access to file storage

More from The Register

next story
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Parent gabfest Mumsnet hit by SSL bug: My heart bleeds, grins hacker
Natter-board tells middle-class Britain to purée its passwords
Web data BLEEDOUT: Users to feel the pain as Heartbleed bug revealed
Vendors and ISPs have work to do updating firmware - if it's possible to fix this
OpenSSL Heartbleed: Bloody nose for open-source bleeding hearts
Bloke behind the cockup says not enough people are helping crucial crypto project
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
Call of Duty 'fragged using OpenSSL's Heartbleed exploit'
So it begins ... or maybe not, says one analyst
German space centre endures cyber attack
Chinese code retrieved but NSA hack not ruled out
Experian subsidiary faces MEGA-PROBE for 'selling consumer data to fraudster'
US attorneys general roll up sleeves, snap on gloves
prev story


Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
HP ArcSight ESM solution helps Finansbank
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Mobile application security study
Download this report to see the alarming realities regarding the sheer number of applications vulnerable to attack, as well as the most common and easily addressable vulnerability errors.