The researchers who provided details on extracting Windows passwords stored by flawed fingerprint-reader software say the greatest vulnerability to the attack lies in the enterprise.
“It's in corporate environments that this is a bigger deal - since an attacker can easily get the Windows password, they can spread their attack to other machines and other systems far more quickly,” said Adam Caudill, who is a software developer/architect, and security researcher.
Caudill and Brandon Wilson took it upon themselves to figure out the critical flaw, revealed last month, in UPEK Protector Suite, a fingerprint-reader software. The flaw was originally uncovered by ElcomSoft, which decided not to release details of the vulnerability. But ElcomSoft tickled the curiosity of security experts by claiming the flaw compromised “the entire security model of Windows accounts.”
Basically, the UPEK software stores the user’s Windows passwords in a scrambled format in the registry. Caudill and Wilson recreated the method for extracting those passwords.
Caudill says the answer to whether the entire Windows security model is compromised is yes and no.
“There is a major mitigating factor that we have to keep in mind - those registry keys have permissions set so that you have to be a Local Admin to access them,” he said. That means a hackers already has to be under the control of a machine in order to extract the Windows passwords associated with the fingerprint-reader.
“So, on one hand [UPEK] is doing something that should never be done: storing an encrypted password - Windows itself doesn't even do this, it stores a hash - and worse, they do so in a way that's easily reversed,” Caudill said.
Easily reversed because Caudill and Wilson discovered that UPEK used a bastardized version of AES-256 password encryption that produced a 56-bit key. In addition, the key used is always the same.
Caudill thinks UPEK weakened the encryption to get around export restrictions on strong encryption that were in place in the U.S. at the time the software was developed.
“Because of the extremely poor way this software was implemented, the encryption might as well be non-existent. The key is fixed, and it's only 56 bits. So any attacker with administrative rights on a machine can access the user's password in plain-text,” he said.
Given that reality, Caudill sees the enterprise and its users as the most vulnerable.
“It allows an attacker to more easily spread an attack from one machine to many - and thanks to password reuse, they will probably be able to use that password to access other systems that the victim has access to,” he said.
Caudill and Wilson have posted a proof-of-concept of their findings on Github. The pairs intent is to allow enterprises to understand the problems and protect themselves against them. Caudill says they have not be criticized for revealing details of the exploit.
“All the feedback has either been asking for help in porting the code for use in other tools, or thanks for helping companies confirm that their systems are secure,” he said.
The laptop manufacturers using UPEK software include Acer, ASUS, Dell, Gateway, Lenovo, MSI, NEC, Samsung, Sony, and Toshiba.
Authentec acquired the tainted UPEK software in September 2010. The technology is now owned by Apple.