PC passwords exposed by flaw in Apple-owned fingerprint software

Security researchers have confirmed a vulnerability in now Apple-owned fingerprint software that exposes passwords on Windows PCs.
Written by Zack Whittaker, Contributor

A security flaw in fingerprint reading software, now owned by Apple, which has the potential to leave millions of Windows PC users' passwords exposed, has been independently verified by security researchers. 

Any hacker with physical control of a person's computer can skim Windows account passwords out of the system, reports Ars Technica.

In July, Apple acquired Australia-based fingerprint hardware firm AuthenTec for $356 million. The firm makes smart sensors and management software, along iwth embedded security devices including fingerprint readers. (In a separate purchase, Apple earlier this month inked a deal with another Australian firm Microlatch which may see the iPhone and iPad maker develop fingerprint technology for use in near-field communications applications.)

But Apple, which is in control of the hardware and software, has yet to make a statement, issue updates, or even acknowledge that it is now responsible for the flaw in its software, used on its main rival's operating system.

The UPEK fingerprint software, which was acquired by AuthenTec in 2010, contains a flaw that makes extracting the fingerprint-associated password easier to crack, despite the software being marketed as a secure means of logging into a Windows machine using a biometric fingerprint.

Many laptop and PC makers use the UPEK software, including: Acer, Asus, Dell, Gateway, Lenovo, MSI, NEC, Samsung, Sony, and Toshiba. (Lenovo rebranded the UPEK software as ThinkVantage.)

In August, Windows software developer and Microsoft certified partner Elcomsoft discovered the flaw in the UPEK software, dubbing it a "paper link to a stainless steel chain."

The flaw exists partly in Windows in that the user's account password is "stored in [the] Windows registry almost in plain text, barely scrambled but not encrypted," said Olga Koksharova on the Elcomsoft blog. The security researchers who confirmed the vulnerability said that was "close enough," and detailed where the Windows passwords are stored in the registry.

The researchers have now released open-source software that allows hackers to exploit Windows machines with fingerprint readers that contain the APEK software.

They explained:

The first 24 bytes are header and size information, after the encrypted data there is a 4 byte number that indicates the number of bytes in the next section, the following bytes are used in the IV. The encryption key is 'generated' using a PBKDF2-like function that uses MD5 hashing, but unfortunately when storing data in the registry they aren't using a password -- so the outcome is based purely on an MD5 hash that they are using as a 'seed' value. This means that the key used is always the same.

Better: the key is only 56 bits.

Ars Technica notes that when the UPEK software isn't in use or activated, Windows doesn't store user passwords in the registry unless the user allows the machine to boot up and login automatically. But disabling the Windows login prompt from the UPEK software doesn't remove the password from the registry. Only removing the user's "passport" from the software will do so.

ZDNet has reached out to Apple and we will update the piece if we hear back. 

Editorial standards