Vendor’s biometric software compromises “entire security model of Windows accounts”

Laptops from various manufacturers including four of the world's top five largest PC makers, sport fingerprint readers with a flaw in their software described as “nothing but a big, glowing security hole compromising the entire security model of Windows accounts.”

The research and quote came from ElcomSoft, a developer of Windows software and a Microsoft Certified Partner, after it discovered a flaw in UPEK Protector Suite, a fingerprint reader software. The Moscow, Russia-based Elcomsoft called UPEK a paper link to a stainless steel chain.

“We found that your Windows account passwords are stored in Windows registry almost in plain text, barely scrambled but not encrypted,” Olga Koksharova wrote on the Elcomsoft blog. “We could extract passwords to all user accounts with fingerprint-enabled logon. Putting things into perspective: Windows itself never stores account passwords unless you enable “automatic login”, which is discouraged by Microsoft.” In fact, Windows warns users that automatic login is a security risk before allowing activation of the setting.

 The UPEK software, until recently, was shipped with the majority of laptops equipped with the company's fingerprint hardware. Over the years, UPEK’s fingerprint authentication hardware and software also was integrated into various USB flash drives, external hard disk drives, and mobile phones. 

The laptop manufacturers using UPEK software include Acer, ASUS, Dell, Gateway, Lenovo, MSI, NEC, Samsung, Sony, and Toshiba.

Protector Suite lets users swap a finger swipe in place of a password. The software caches passwords to Web sites and Windows itself to support the one-finger login.

Hackers compromising the UPEK software could gain access to all the files and documents on a PC. Elcomsoft notes that hackers would not be able to access EFS-encrypted files without knowledge of the Windows account password.

Elcomsoft says users with  UPEK Protector Suite software disable the Windows logon feature.

UPEK was acquired in September 2010 by Authentec , which now uses TrueSuite software for its fingerprint biometrics. Users with the UPEK software, however, will need an upgrade to TrueSuite to eliminate the flaws. 

Elcomsoft is a member of the Russian Cryptology Association (RCA) and the Computer Security Institute.

The company’s website includes this testimonial quote from famed hacker and social engineer Kevin Mitnick: “ I want to thank Elcomsoft for providing the best password auditing and recovery tools on the market.”

See also:

• FBI hack yielded 12 million iPhone and iPad IDs, Anonymous claims
• Second accused LulzSec hacker arrested in US
• One in five hacked logins match Microsoft Accounts