PC passwords exposed by flaw in Apple-owned fingerprint software

PC passwords exposed by flaw in Apple-owned fingerprint software

Summary: Security researchers have confirmed a vulnerability in now Apple-owned fingerprint software that exposes passwords on Windows PCs.

SHARE:

A security flaw in fingerprint reading software, now owned by Apple, which has the potential to leave millions of Windows PC users' passwords exposed, has been independently verified by security researchers. 

Any hacker with physical control of a person's computer can skim Windows account passwords out of the system, reports Ars Technica.

In July, Apple acquired Australia-based fingerprint hardware firm AuthenTec for $356 million. The firm makes smart sensors and management software, along iwth embedded security devices including fingerprint readers. (In a separate purchase, Apple earlier this month inked a deal with another Australian firm Microlatch which may see the iPhone and iPad maker develop fingerprint technology for use in near-field communications applications.)

But Apple, which is in control of the hardware and software, has yet to make a statement, issue updates, or even acknowledge that it is now responsible for the flaw in its software, used on its main rival's operating system.

The UPEK fingerprint software, which was acquired by AuthenTec in 2010, contains a flaw that makes extracting the fingerprint-associated password easier to crack, despite the software being marketed as a secure means of logging into a Windows machine using a biometric fingerprint.

Many laptop and PC makers use the UPEK software, including: Acer, Asus, Dell, Gateway, Lenovo, MSI, NEC, Samsung, Sony, and Toshiba. (Lenovo rebranded the UPEK software as ThinkVantage.)

In August, Windows software developer and Microsoft certified partner Elcomsoft discovered the flaw in the UPEK software, dubbing it a "paper link to a stainless steel chain."

The flaw exists partly in Windows in that the user's account password is "stored in [the] Windows registry almost in plain text, barely scrambled but not encrypted," said Olga Koksharova on the Elcomsoft blog. The security researchers who confirmed the vulnerability said that was "close enough," and detailed where the Windows passwords are stored in the registry.

The researchers have now released open-source software that allows hackers to exploit Windows machines with fingerprint readers that contain the APEK software.

They explained:

The first 24 bytes are header and size information, after the encrypted data there is a 4 byte number that indicates the number of bytes in the next section, the following bytes are used in the IV. The encryption key is 'generated' using a PBKDF2-like function that uses MD5 hashing, but unfortunately when storing data in the registry they aren't using a password -- so the outcome is based purely on an MD5 hash that they are using as a 'seed' value. This means that the key used is always the same.

Better: the key is only 56 bits.

Ars Technica notes that when the UPEK software isn't in use or activated, Windows doesn't store user passwords in the registry unless the user allows the machine to boot up and login automatically. But disabling the Windows login prompt from the UPEK software doesn't remove the password from the registry. Only removing the user's "passport" from the software will do so.

ZDNet has reached out to Apple and we will update the piece if we hear back. 

Topics: Security, Apple, Dell, Hewlett-Packard, PCs, Windows

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

34 comments
Log in or register to join the discussion
  • What does the fact that Apple now owns

    the company have to do with the security flaw. Or do you honestly think the flaw occurred because Apple bought the company. Good grief. If you're going to engage in yellow journalism, at least try to do a decent job.
    baggins_z
    • Click Bait

      This story wouldn't even have been reported if Apple hadn't bought them.
      Henry 3 Dogg
      • LOL

        This flaw was reported on a couple of weeks ago, and heavily commented on ZDnet. At the time there was no Apple link (I don't think Apple had bought the company yet, and there was no indication it intended to do so).
        dsf3g
    • What does not have flaws?

      What would be news is a piece of software that does not have flaws. Let's for the sake of these stories just assume that everything has flaws.
      jscott418-22447200638980614791982928182376
    • Bit touchy aren't we?

      The only references to Apple are about it now owning the product and it being the ones who they have contacted for comment. The other 99.9% is about the issue itself.
      Patanjali
    • Not Apple's fault

      Firstly, this security problem in windows user passwords was not compromised by this fingerprint software. It was a problem in windows itself!
      Microsoft is largely to blame here whether by design or not is debatable.
      While you cannot RETRIEVE a user password in windows, you can easily RESET it if you have logical access to the hard drive. All it takes is software to delete the password in the SAM database in windows. Any worthy system admin or experienced windows techhead will already know this.
      It is a weakness in the way MS has implemented the user database where you don't need the encryption key to "blank" the password for any level user including admin. If you use bitlocker in windows 7, it steps it up a notch and you cannot blank the user password in this manner.
      Windows security has been much improved and if you are using anything earlier than Windows 7 for sensitive data, you are a fool. Those corporates that are clinging onto XP & Vista have rubbish IT departments or they don't care about their data.
      While I am familiar with the Authentec software, I usually disable the feature mainly because it is rubbish and takes too many swipes to get a good pass. Until the technology improves significantly, fingerprint scanning holds gimmick value.
      The problem we now have is that Apple is now responsible for Authentec and I'm not holding much faith in Apple foxing the situation even though they are not to blame for this.
      warboat
      • "foxing" LOL

        Um, Apple may indeed end up "FOXING" this situation. What I meant of course is "fixing" this situation.
        warboat
      • Lawsuit

        I hope that there is a huge lawsuit that Apple has to spend $ on defending themselves.
        Panwo1@...
  • Ugh.. I hate defending Apple.. but..

    This is an Authentec problem and they've been around for a LONG time. They were making Windows specific hardware and software long before Apple bought them - and this bug was around long before Apple bought them.

    This story should have been framed differently - Security hardware by Authentec (now owned by Apple) has been found to have a bug. I know you say this, but the way it's worded really way overemphasises the 'now owned by Apple' part and makes it seems like Apple had some involvement in any of it which, other than buying Authentec, it didn't...
    The Werewolf!
  • Let me guess

    This bug (Flaw, security issue) just appeared, since Apple bought them? It's kind of like the issues with Skype, that prevented me from using their software Before Microsoft bought them. The fact the softwre hasn't improved since then keeps me from using it still. But that is not Microsoft's fault Skype was junk, that lies with the original creator. Same applies here! Oh wait, silly me, if it's a Negative story about Apple, the Astroturfers, and Schills need something to rant about to earn their Microsoft paychecks.
    Troll Hunter J
    • yes, just like you are getting Apple Paychecks

      to bash Microsoft in every post. ;-)
      Ram U
      • Sating facts

        No matter how much is offends your stupid religion, is the difference. I stated a fact, there are paid Microsoft employees on here, and their job it to post negative comments about everything other than Microsoft. There's Todd/Will/Matt/etc. the Indian guy Rama, and a few others that post the same tripe, no matter what. I at least don't blame Microsoft for issues with Skype, because they existed before Microsoft bought them. You on the other hand, most likely wok in Microsoft's India call center. Where its it exactly? Bangalore?
        Troll Hunter J
        • Stating Facts

          @Troll Hunter J - since you claim to be "stating facts" about the existence of MS employees on this site, I'd like to see some evidence besides your not liking the content of their posts. How about a pay stub?
          aureolin
          • Google Astroturfers

            you'll find plenty of examples. Microsoft has employed Astroturfers for over a decade. I'm not saying they are the only company that does so, but they do in fact pay pep9le to Astroturf.
            Troll Hunter J
          • The question that was asked

            is if YOU have any proof that Todd/Will/Matt/etc. are being paid by Microsoft such as a paystub. Do you have paystubs for Todd/Will/Matt/etc. from Microsoft or any other company proving your claim? If so post it, if not then I suggest changing your tune.
            athynz
        • Oooh. You're such a saint.

          ...for not blaming Microsoft for Skype issues.
          Trying to bolster your credibiilty?

          Sorry, but you're a hypocrite because you're on the Windows articles doing exactly the same thing ;)

          Am I wrong?
          ackacka
    • Skype is junk?

      Clearly you're a complete idiot.
      Pastabake
  • Will Apple do the Ethical Thing?

    The real question is will Apple do the ethical thing and fix the software or will they intentionally let PCs be insecure in order to gain a competitive advantage? I couldn't care less about the timing of the announcement, other than Apple now has a limited amount of time in which to fix the problem. I didn't read this as Apple bashing but will if they don't fix the problem.
    MarkinWI
  • Nothing to see here ...

    1) Apple bought the software - they're not responsible for the fault. Why the lame attempt to tar them with the error?

    2) Apple bought the software - they're responsible for fixing it, like it or not. Their failing isn't that the flaw exists, it's their response (rather lack of response) to its announcement.


    "But Apple, which is in control of the hardware and software, has yet to make a statement, issue updates, or even acknowledge that it is now responsible" - So, what else is new?
    aureolin
    • Rolls eyes

      So the company has yet to make a statement, issue updates, or even acknowledge that it is now responsible. For the whole time it existed.

      Apple has a policy of not commenting on a security flaw till it has a fix. Presumably they don't yet have a fix.

      Or more to the point the same people who created the problem years ago have not yet provided a fix, and Apple is now the owner of their company and Apple policy may apply to making statements, or maybe that hasn't changed either.

      Or if mechBgon is right they have released a fix.
      richardw66