Apple's soon-to-be-slurped securo firm shrugs off crypto warning
Windows passwords exposure confusion
AuthenTec, the security firm that's the target of an $356m acquisition  by Apple, has denied reports that possible cryptographic weaknesses in its fingerprint scanner software pose a risk to the security of laptops.
Apple's attempted slurp of the fingerprint-scanning firm, which also makes other security products, was announced in July, but Cupertino has yet to secure shareholder and regulatory approval for the deal.
UPEK (a firm acquired by AuthenTec in September 2010) supplies fingerprint readers to manufacturers including Acer, ASUS, Dell, Lenovo, Samsung, Sony, Toshiba and many others. The furore began after Russian password-cracking and auditing tools firm ElcomSoft announced recently that it had discovered flaws in the UPEK Protector Suite, a legacy but still widely used fingerprint reader software suite.
The package came pre-loaded onto many laptops prior to its replacement by AuthenTec's latest line of TrueSuite software. UPEK Protector Suite manages fingerprint-reading hardware, offering users the option of using a swipe of a finger instead of typing in Windows login passwords.
ElcomSoft claimed laptops equipped with UPEK fingerprint readers and running UPEK Protector Suite stored Windows account passwords in a "barely scrambled but not encrypted" form in the Windows registry. Elcomsoft is withholding details on this security weakness, at least pending a fix from AuthenTec.
Given physical access to a laptop running UPEK Protector Suite, "we could extract passwords to all user accounts with fingerprint-enabled logon", ElcomSoft warned in an advisory . Windows itself never stores account passwords unless users enable "automatic logon", which is discouraged by Microsoft.
Corporates often bar Windows auto-logon. By contrast, fingerprint logon is rarely, if ever, barred. However the alleged security shortcomings of UPEK Protector Suite have cast doubt over the general assumption that biometrics security is better then password security. "UPEK Protector Suite simply stores the original password to Windows account, making it possible for an intruder to obtain one," ElcomSoft warns, describing the approach as akin "introducing a paper link to a stainless steel chain".
ElcomSoft notes that hackers with physical access to a laptop would probably be able to get at files and folders anyway. But it says the "security weaknesses" supposedly added by the fingerprint reader software would mean hackers would also be able to read EFS-encrypted files, which are secured with a Windows account password.
The Russian firm is advising users of UPEK Protector Suite to disable the Windows logon feature.
You'd need a key-logging exploit, in which case you're screwed anyway
AuthenTec said on Friday that such measures were unnecessary. It downplayed the security weaknesses highlighted by ElcomSoft, arguing that (in practice) they would only be exploitable if a targeted laptop was contaminated with something akin to key-logger software, in which case hackers would already have complete control of a compromised machine anyway. Nonetheless, AuthenTec is promising an update to harden its AES key generation algorithm, which would be unnecessary if the implementation was already bullet-proof.
AuthenTec takes security seriously, which is why we contacted ElcomSoft shortly after their recent blog post which claimed that ProtectorSuite stores Windows passwords insecurely. AuthenTec evaluated ElcomSoft’s claims after they provided relevant information to the company last night. Based on the findings of our team:
- ElcomSoft confirmed passwords stored in ProtectorSuite were AES encrypted as AuthenTec expected.
- ElcomSoft has reverse-engineered the AES key generation algorithm in ProtectorSuite and written code that uses this information to unlock the AES encrypted storage
Any tool that were to use this code maliciously must be downloaded by a user and given administrator access rights to be effective – making it no more or less potent than widely available key loggers in harvesting personal information
In order to protect ProtectorSuite users in the event that ElcomSoft makes this code more widely available, AuthenTec is creating an update to ProtectorSuite with a hardened version of our AES key generation algorithm. We expect this new version of ProtectorSuite to be available on our website (www.authentec.com) for free download next week.
Users of ProtectorSuite with the Store To Device option available and enabled would not be affected, as keys are stored on the fingerprint sensor and are unique to each PC.
Elcomsoft's warning that UPEK Protector Suite stores Windows account passwords in a "barely scrambled but not encrypted" form in the Windows registry is world's apart from AuthenTec's assurance that this info is encrypted using AES and safe – providing users are not tricked into downloading an running a decryption utility.
However ElcomSoft is sticking by its guns.
El Reg approached Elcomsoft for comment on AuthenTec's rebuttal. Olga Koksharova, Elcomsoft's marketing director, reiterated the Russian firm's warning about the seriousness of the security shortcoming.
"There is a dangerous security vulnerability which is seriously aggravated by the fact that the security is designed particularly for laptops that are frequently shared among employees (or passed from one to another) and represent a very easy prey for thieves," Koksharova told El Reg. "We found that administrator rights grant you a complete access to all other fingerprint-protected accounts which by the way also makes EFS encryption (if there was any) pointless since the password is known.
"It is the second [another] question if these admin rights were assigned to you by default or if you got them somehow else. Moreover, you can simply take out the hard disk and plug it into another system and read the Registry data from there (provided there was no full-disk encryption)," she added.
More commentary on the rival – and hard to reconcile – claims by AuthenTec and ElcomSoft can be found in a blog post by Sophos here . ®