Vendor’s biometric software compromises “entire security model of Windows accounts”

Vendor’s biometric software compromises “entire security model of Windows accounts”

Summary: Flaw in fingerprint reader software called "nothing but a big, glowing security hole." Vulnerability exposes all files, documents on PC.

SHARE:
TOPICS: Security, PCs, Windows
30

Laptops from various manufacturers including four of the world's top five largest PC makers, sport fingerprint readers with a flaw in their software described as “nothing but a big, glowing security hole compromising the entire security model of Windows accounts.”

The research and quote came from ElcomSoft, a developer of Windows software and a Microsoft Certified Partner, after it discovered a flaw in UPEK Protector Suite, a fingerprint reader software. The Moscow, Russia-based Elcomsoft called UPEK a paper link to a stainless steel chain.

“We found that your Windows account passwords are stored in Windows registry almost in plain text, barely scrambled but not encrypted,” Olga Koksharova wrote on the Elcomsoft blog. “We could extract passwords to all user accounts with fingerprint-enabled logon. Putting things into perspective: Windows itself never stores account passwords unless you enable “automatic login”, which is discouraged by Microsoft.” In fact, Windows warns users that automatic login is a security risk before allowing activation of the setting.

 The UPEK software, until recently, was shipped with the majority of laptops equipped with the company's fingerprint hardware. Over the years, UPEK’s fingerprint authentication hardware and software also was integrated into various USB flash drives, external hard disk drives, and mobile phones. 

The laptop manufacturers using UPEK software include Acer, ASUS, Dell, Gateway, Lenovo, MSI, NEC, Samsung, Sony, and Toshiba.

Protector Suite lets users swap a finger swipe in place of a password. The software caches passwords to Web sites and Windows itself to support the one-finger login.

Hackers compromising the UPEK software could gain access to all the files and documents on a PC. Elcomsoft notes that hackers would not be able to access EFS-encrypted files without knowledge of the Windows account password.

Elcomsoft says users with  UPEK Protector Suite software disable the Windows logon feature.

UPEK was acquired in September 2010 by Authentec , which now uses TrueSuite software for its fingerprint biometrics. Users with the UPEK software, however, will need an upgrade to TrueSuite to eliminate the flaws. 

Elcomsoft is a member of the Russian Cryptology Association (RCA) and the Computer Security Institute.

The company’s website includes this testimonial quote from famed hacker and social engineer Kevin Mitnick: “ I want to thank Elcomsoft for providing the best password auditing and recovery tools on the market.”

See also:

 

Topics: Security, PCs, Windows

About

John Fontana is a journalist focusing in identity, privacy and security issues. Currently, he is the Identity Evangelist for cloud identity security vendor Ping Identity, where he blogs about relevant issues related to digital identity.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

30 comments
Log in or register to join the discussion
  • Biometric Security Flaw

    So, if someone cuts off your finger they can break into your system and totally compromise it. Sorry, I would do all that myself to keep my finger.
    hayneiii@...
    • No

      No, this is bad... almost as bad as it gets. What this means is that anyone who can log into that PC as Administrator, or who has privileges to examine the registry on that machine remotely can farm usernames and passwords from it. Storing passwords using reversible encryption is a bog, BIG no no and this appears to be what this system does.

      Yes, it does require some degree of elevated privileges, but I'd wager that in most organizations there are a LOT of users with that degree of privilege. And once you have a bunch of users potentially possessing a bunch of other users logins/password combinations security and auditing go out the window.

      Hell, in a Windows Active Directory Domain environment, even an Enterprise Admin does not have the ability to examine a user's password, for this very reason.
      dsf3g
      • Biometrics...

        ...should be motherboard-based and not software-based. Anybody who relies on Windows 'security' to protect them is an idiot.
        Cylon Centurion
        • Uhuh

          I'm sure on Caprica Linux is all the rage, but here on Planet Earth most businesses rely on Microsoft technoliges for authentication and security. So that being the case: there's a right way and a wrong way to to this, and UPEK is doing it the wrong way.
          dsf3g
          • UhHuh

            "most businesses rely on Microsoft technoliges for authentication and security"

            Uh-huh, and then you wonder why you're fu*ked when you do.

            So much for "Planet Earth..."
            Cylon Centurion
          • Funny

            Funny, I've never wondered that, Sounds like you need to spend some time learning Windows Security and configuring your and hardening environment according to Microsoft Best Practices. Your network is only as secure as you make it.
            dsf3g
          • Maybe you should start wondering then

            Or do we all need to take your 'professional' word for it, given the past 20 years of screw-ups, the most recent of which this article mentions.

            Not to mention hardware-based Biometrics is OS neutral. Or didn't you know that?

            In fact, you're probably better off using a USB dongle with FIPS 140-2, Level 3 Validation and AES 256-bit Hardware Encryption then relying on you guys on the other end to screw it up.

            But keep up the damage control. You're gonna need it.
            Cylon Centurion
          • Right

            Right, because Microsoft is responsible for every software package or hardware device that a third party manufacturer releases into the market.

            And holy, cow, let me just say: It's just stunning what weenies the fanboys are on these forums. I'm looking at my previous posts and they're getting flagged two or three times... for what? For saying something you guys don't *like*? Save the Flags for spam, you dolts. That's what it's there for. Not because I hurt your feelings with some comments I made defending Windows (Hell, I wasn't even attacking your OS).

            And for the record, I've defended and expressed admiration for various aspects of Windows, Linux, iOS, Android and MacOS on these forums. I was a partisan in the Atari vs. C64 wars of the late 1970s, the Mac vs. Wintel wars of the 1980s and 90s, and then something happened along the way: I grew up!
            dsf3g
          • Well they asked for it

            "Right, because Microsoft is responsible for every software package or hardware device that a third party manufacturer releases into the market."

            Well that's what you get for becoming the biggest monopoly in the IT world. This article says "Windows accounts", NOT "Apple accounts" or "Linux accounts".

            "Windows accounts".

            I know that puts a hole into your gushing fanbuidom but dat's what happens when da cookie crumbles.
            Cylon Centurion
  • The simple solution?

    Upgrade to Linux. Linux learned long ago not to store passwords in plain text. What's wrong with MS?
    T1Oracle
    • There's a major flaw in your argument

      UPEK software is storing Windows passwords in almost plain text, not Windows itself.
      statuskwo5
      • But why...

        ...is UPEK being allowed to store Windows passwords in the first place?
        jgm@...
        • LOL

          LOL, when a secretary writes her password on a sticky note and affixes it to the bottom of her keyboard she's storing it in plain text, too. I guess that's Microsoft's fault also, and proof that Windows is insecure.
          dsf3g
          • It is

            Especially considering most windows users are dumb to begin with and do those kinds of things.

            I doubt most of them even have a user account for their home machines. Linux, on the other hand, would force you to create one

            This is the kind of clientele they attract when the monopolize everything.
            Cylon Centurion
          • Linux

            Yeah, Linux forces you to do a lot of things... which is why it has something like 1% of the desktop marketshare.
            dsf3g
          • It's just too tough

            For the dummies out there.

            lol...
            Cylon Centurion
          • That may be

            the most ignorant statement of the day. The day is young so there is more time to lower the bar. Have at it...
            sternac58
        • Are you serious?

          Windows doesn't 'allow' anything. The UPEK/AuthenTec Protector Suite software asks users to type in their passwords, to link them to their fingerprints. It then saves the passwords typed in by the users in almost plaintext format. It doesn't (and can't) get user passwords from the OS, it gets them from users. If Protector Suite used the Windows security model instead of rolling its own, this flaw wouldn't exist.

          If you think Linux would help, you may have got things backwards. For Windows and Mac, AuthenTec offer their new TrueSuite software, which does not contain the above design flaw. For Linux, AuthenTec only offer their old Protector Suite software. Since Protector Suite uses its own home-made security system, which is broken by design, it probably contains the same security flaw on all platforms.

          h t t p : / / support.authentec.com/Downloads.aspx
          WilErz
    • Won't help sas if you run UPEK software on a Linux machine

      the passwords to the machine would be stored in plain text.
      William Farrel
      • How do you know?

        You don't since you don't use Linux machines.

        Just lettin' people know...

        ;)
        Cylon Centurion