Apple's soon-to-be-slurped securo firm shrugs off crypto warning

Windows passwords exposure confusion

The essential guide to IT transformation

AuthenTec, the security firm that's the target of an $356m acquisition by Apple, has denied reports that possible cryptographic weaknesses in its fingerprint scanner software pose a risk to the security of laptops.

Apple's attempted slurp of the fingerprint-scanning firm, which also makes other security products, was announced in July, but Cupertino has yet to secure shareholder and regulatory approval for the deal.

UPEK (a firm acquired by AuthenTec in September 2010) supplies fingerprint readers to manufacturers including Acer, ASUS, Dell, Lenovo, Samsung, Sony, Toshiba and many others. The furore began after Russian password-cracking and auditing tools firm ElcomSoft announced recently that it had discovered flaws in the UPEK Protector Suite, a legacy but still widely used fingerprint reader software suite.

The package came pre-loaded onto many laptops prior to its replacement by AuthenTec's latest line of TrueSuite software. UPEK Protector Suite manages fingerprint-reading hardware, offering users the option of using a swipe of a finger instead of typing in Windows login passwords.

ElcomSoft claimed laptops equipped with UPEK fingerprint readers and running UPEK Protector Suite stored Windows account passwords in a "barely scrambled but not encrypted" form in the Windows registry. Elcomsoft is withholding details on this security weakness, at least pending a fix from AuthenTec.

Given physical access to a laptop running UPEK Protector Suite, "we could extract passwords to all user accounts with fingerprint-enabled logon", ElcomSoft warned in an advisory. Windows itself never stores account passwords unless users enable "automatic logon", which is discouraged by Microsoft.

Corporates often bar Windows auto-logon. By contrast, fingerprint logon is rarely, if ever, barred. However the alleged security shortcomings of UPEK Protector Suite have cast doubt over the general assumption that biometrics security is better then password security. "UPEK Protector Suite simply stores the original password to Windows account, making it possible for an intruder to obtain one," ElcomSoft warns, describing the approach as akin "introducing a paper link to a stainless steel chain".

ElcomSoft notes that hackers with physical access to a laptop would probably be able to get at files and folders anyway. But it says the "security weaknesses" supposedly added by the fingerprint reader software would mean hackers would also be able to read EFS-encrypted files, which are secured with a Windows account password.

The Russian firm is advising users of UPEK Protector Suite to disable the Windows logon feature.

You'd need a key-logging exploit, in which case you're screwed anyway

AuthenTec said on Friday that such measures were unnecessary. It downplayed the security weaknesses highlighted by ElcomSoft, arguing that (in practice) they would only be exploitable if a targeted laptop was contaminated with something akin to key-logger software, in which case hackers would already have complete control of a compromised machine anyway. Nonetheless, AuthenTec is promising an update to harden its AES key generation algorithm, which would be unnecessary if the implementation was already bullet-proof.

AuthenTec takes security seriously, which is why we contacted ElcomSoft shortly after their recent blog post which claimed that ProtectorSuite stores Windows passwords insecurely. AuthenTec evaluated ElcomSoft’s claims after they provided relevant information to the company last night. Based on the findings of our team:
  • ElcomSoft confirmed passwords stored in ProtectorSuite were AES encrypted as AuthenTec expected.
  • ElcomSoft has reverse-engineered the AES key generation algorithm in ProtectorSuite and written code that uses this information to unlock the AES encrypted storage

Any tool that were to use this code maliciously must be downloaded by a user and given administrator access rights to be effective – making it no more or less potent than widely available key loggers in harvesting personal information

In order to protect ProtectorSuite users in the event that ElcomSoft makes this code more widely available, AuthenTec is creating an update to ProtectorSuite with a hardened version of our AES key generation algorithm. We expect this new version of ProtectorSuite to be available on our website (www.authentec.com) for free download next week.

Users of ProtectorSuite with the Store To Device option available and enabled would not be affected, as keys are stored on the fingerprint sensor and are unique to each PC.

Elcomsoft's warning that UPEK Protector Suite stores Windows account passwords in a "barely scrambled but not encrypted" form in the Windows registry is world's apart from AuthenTec's assurance that this info is encrypted using AES and safe – providing users are not tricked into downloading an running a decryption utility.

However ElcomSoft is sticking by its guns.

El Reg approached Elcomsoft for comment on AuthenTec's rebuttal. Olga Koksharova, Elcomsoft's marketing director, reiterated the Russian firm's warning about the seriousness of the security shortcoming.

"There is a dangerous security vulnerability which is seriously aggravated by the fact that the security is designed particularly for laptops that are frequently shared among employees (or passed from one to another) and represent a very easy prey for thieves," Koksharova told El Reg. "We found that administrator rights grant you a complete access to all other fingerprint-protected accounts which by the way also makes EFS encryption (if there was any) pointless since the password is known.

"It is the second [another] question if these admin rights were assigned to you by default or if you got them somehow else. Moreover, you can simply take out the hard disk and plug it into another system and read the Registry data from there (provided there was no full-disk encryption)," she added.

More commentary on the rival – and hard to reconcile – claims by AuthenTec and ElcomSoft can be found in a blog post by Sophos here. ®

Next gen security for virtualised datacentres

More from The Register

next story
Snowden on NSA's MonsterMind TERROR: It may trigger cyberwar
Plus: Syria's internet going down? That was a US cock-up
Who needs hackers? 'Password1' opens a third of all biz doors
GPU-powered pen test yields more bad news about defences and passwords
e-Borders fiasco: Brits stung for £224m after US IT giant sues UK govt
Defeat to Raytheon branded 'catastrophic result'
Microsoft cries UNINSTALL in the wake of Blue Screens of Death™
Cache crash causes contained choloric calamity
Germany 'accidentally' snooped on John Kerry and Hillary Clinton
Dragnet surveillance picks up EVERYTHING, USA, m'kay?
Linux kernel devs made to finger their dongles before contributing code
Two-factor auth enabled for Kernel.org repositories
prev story


5 things you didn’t know about cloud backup
IT departments are embracing cloud backup, but there’s a lot you need to know before choosing a service provider. Learn all the critical things you need to know.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Build a business case: developing custom apps
Learn how to maximize the value of custom applications by accelerating and simplifying their development.
Rethinking backup and recovery in the modern data center
Combining intelligence, operational analytics, and automation to enable efficient, data-driven IT organizations using the HP ABR approach.
Next gen security for virtualised datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.