Apple's soon-to-be-slurped securo firm shrugs off crypto warning

Windows passwords exposure confusion

Protecting users from Firesheep and other Sidejacking attacks with SSL

AuthenTec, the security firm that's the target of an $356m acquisition by Apple, has denied reports that possible cryptographic weaknesses in its fingerprint scanner software pose a risk to the security of laptops.

Apple's attempted slurp of the fingerprint-scanning firm, which also makes other security products, was announced in July, but Cupertino has yet to secure shareholder and regulatory approval for the deal.

UPEK (a firm acquired by AuthenTec in September 2010) supplies fingerprint readers to manufacturers including Acer, ASUS, Dell, Lenovo, Samsung, Sony, Toshiba and many others. The furore began after Russian password-cracking and auditing tools firm ElcomSoft announced recently that it had discovered flaws in the UPEK Protector Suite, a legacy but still widely used fingerprint reader software suite.

The package came pre-loaded onto many laptops prior to its replacement by AuthenTec's latest line of TrueSuite software. UPEK Protector Suite manages fingerprint-reading hardware, offering users the option of using a swipe of a finger instead of typing in Windows login passwords.

ElcomSoft claimed laptops equipped with UPEK fingerprint readers and running UPEK Protector Suite stored Windows account passwords in a "barely scrambled but not encrypted" form in the Windows registry. Elcomsoft is withholding details on this security weakness, at least pending a fix from AuthenTec.

Given physical access to a laptop running UPEK Protector Suite, "we could extract passwords to all user accounts with fingerprint-enabled logon", ElcomSoft warned in an advisory. Windows itself never stores account passwords unless users enable "automatic logon", which is discouraged by Microsoft.

Corporates often bar Windows auto-logon. By contrast, fingerprint logon is rarely, if ever, barred. However the alleged security shortcomings of UPEK Protector Suite have cast doubt over the general assumption that biometrics security is better then password security. "UPEK Protector Suite simply stores the original password to Windows account, making it possible for an intruder to obtain one," ElcomSoft warns, describing the approach as akin "introducing a paper link to a stainless steel chain".

ElcomSoft notes that hackers with physical access to a laptop would probably be able to get at files and folders anyway. But it says the "security weaknesses" supposedly added by the fingerprint reader software would mean hackers would also be able to read EFS-encrypted files, which are secured with a Windows account password.

The Russian firm is advising users of UPEK Protector Suite to disable the Windows logon feature.

You'd need a key-logging exploit, in which case you're screwed anyway

AuthenTec said on Friday that such measures were unnecessary. It downplayed the security weaknesses highlighted by ElcomSoft, arguing that (in practice) they would only be exploitable if a targeted laptop was contaminated with something akin to key-logger software, in which case hackers would already have complete control of a compromised machine anyway. Nonetheless, AuthenTec is promising an update to harden its AES key generation algorithm, which would be unnecessary if the implementation was already bullet-proof.

AuthenTec takes security seriously, which is why we contacted ElcomSoft shortly after their recent blog post which claimed that ProtectorSuite stores Windows passwords insecurely. AuthenTec evaluated ElcomSoft’s claims after they provided relevant information to the company last night. Based on the findings of our team:
  • ElcomSoft confirmed passwords stored in ProtectorSuite were AES encrypted as AuthenTec expected.
  • ElcomSoft has reverse-engineered the AES key generation algorithm in ProtectorSuite and written code that uses this information to unlock the AES encrypted storage

Any tool that were to use this code maliciously must be downloaded by a user and given administrator access rights to be effective – making it no more or less potent than widely available key loggers in harvesting personal information

In order to protect ProtectorSuite users in the event that ElcomSoft makes this code more widely available, AuthenTec is creating an update to ProtectorSuite with a hardened version of our AES key generation algorithm. We expect this new version of ProtectorSuite to be available on our website (www.authentec.com) for free download next week.

Users of ProtectorSuite with the Store To Device option available and enabled would not be affected, as keys are stored on the fingerprint sensor and are unique to each PC.

Elcomsoft's warning that UPEK Protector Suite stores Windows account passwords in a "barely scrambled but not encrypted" form in the Windows registry is world's apart from AuthenTec's assurance that this info is encrypted using AES and safe – providing users are not tricked into downloading an running a decryption utility.

However ElcomSoft is sticking by its guns.

El Reg approached Elcomsoft for comment on AuthenTec's rebuttal. Olga Koksharova, Elcomsoft's marketing director, reiterated the Russian firm's warning about the seriousness of the security shortcoming.

"There is a dangerous security vulnerability which is seriously aggravated by the fact that the security is designed particularly for laptops that are frequently shared among employees (or passed from one to another) and represent a very easy prey for thieves," Koksharova told El Reg. "We found that administrator rights grant you a complete access to all other fingerprint-protected accounts which by the way also makes EFS encryption (if there was any) pointless since the password is known.

"It is the second [another] question if these admin rights were assigned to you by default or if you got them somehow else. Moreover, you can simply take out the hard disk and plug it into another system and read the Registry data from there (provided there was no full-disk encryption)," she added.

More commentary on the rival – and hard to reconcile – claims by AuthenTec and ElcomSoft can be found in a blog post by Sophos here. ®

The next step in data security

More from The Register

next story
Israeli spies rebel over mass-snooping on innocent Palestinians
'Disciplinary treatment will be sharp and clear' vow spy-chiefs
Infosec geniuses hack a Canon PRINTER and install DOOM
Internet of Stuff securo-cockups strike yet again
'Speargun' program is fantasy, says cable operator
We just might notice if you cut our cables
Apple Pay is a tidy payday for Apple with 0.15% cut, sources say
Cupertino slurps 15 cents from every $100 purchase
YouTube, Amazon and Yahoo! caught in malvertising mess
Cisco says 'Kyle and Stan' attack is spreading through compromised ad networks
Hackers pop Brazil newspaper to root home routers
Step One: try default passwords. Step Two: Repeat Step One until success
Greater dev access to iOS 8 will put us AT RISK from HACKERS
Knocking holes in Apple's walled garden could backfire, says securo-chap
Microsoft to patch ASP.NET mess even if you don't
We know what's good for you, because we made the mess says Redmond
prev story


Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.
Saudi Petroleum chooses Tegile storage solution
A storage solution that addresses company growth and performance for business-critical applications of caseware archive and search along with other key operational systems.
Security and trust: The backbone of doing business over the internet
Explores the current state of website security and the contributions Symantec is making to help organizations protect critical data and build trust with customers.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.