ElcomSoft exposes security flaw in fingerprint reading software

In a rather worrying advisory issued by ElcomSoft, it has been revealed that a major security flaw has been discovered in the UPEK Protector Suite, a fingerprint reading software that had been shipping with majority of laptops equipped with UPEK fingerprint readers, until Authentec acquired the company and moved to a different software. ElcomSoft, in its advisory, detail further that till very recently, most major manufacturers, such as Acer, ASUS, Dell, Gateway, Lenovo, MSI, NEC, Samsung, SONY, Toshiba were using fingerprint readers that were manufactured by UPEK. 

Fingerprint reader security hole exposed (Image credit: Getty Images)

Fingerprint reader security hole exposed (Image credit: Getty Images)



Interestingly, the UPEK Protector Suite manages a fingerprint reading hardware using which users can do away with typing passwords and instead just have a single finger swipe to the same effect. Over a course of time, the UPEK Protector Suite caches the passwords and users are offered almost instant logins to websites. “Logging into Windows by swiping a finger instead of clicking and typing a (probably long and complex) password sounds tempting. And, it works. A simple swipe of your finger, and you’re in. Wonderful; but what about security?,” the post details further. 


ElcomSoft mentions in its post that when several laptops running the UPEK Protector Suite were analysed, it was found that several Windows account passwords were stored in Windows registry in almost plain text - “barely scrambled but not encrypted".


The post goes on to add further that gaining physical access to a laptop running the UPEK Protector Suite, it was possible to get passwords to all user accounts, using the finger swipe login. "Putting things into perspective: Windows itself never stores account passwords unless you enable “automatic login”, which is discouraged by Microsoft. If you use the Windows auto-logon feature, you’ll see a message saying 'Using automatic logon can pose a security risk because anyone that has access to your computer will have access to your programs and personal files.' Simply said, no corporate user will ever use this 'automatic logon' feature, which is often banned by corporate security policies."


ElcomSoft re-iterates a common belief that biometric logon is may be a safer bet over having to enter passwords. In the case of UPEK, however, ElcomSoft notes that "..they preferred the easy route: UPEK Protector Suite simply stores the original password to Windows account, making it possible for an intruder to obtain one."


ElcomSoft also notes in its discovery that storing Windows account passwords in plain text "defeats the entire purpose of enhanced security". It adds, "with current implementation, we cannot speak of any security as the entire PC becomes extremely easy to exploit to anyone aware of this vulnerability. This time around, UPEK made it completely wrong, introducing a paper link to a stainless steel chain."


Importantly, ElcomSoft notes that the scope of the problem is very broad and is not limited to a particular laptop model or manufacturer, for that matter. It states that, "All laptops equipped with UPEK fingerprint readers and running UPEK Protector Suite are susceptible." Worryingly, those users who have ever registered their fingerprints with UPEK Protector Suite to have almost instant logons and entered their account password there, are at risk, as per ElcomSoft. 


"If you care about security of your Windows account, launch UPEK Protector Suite and disable the Windows logon feature. That should clear the stored password for your account. Note that you should clear all stored account passwords to protect all user accounts," the post offers. 

Published Date: Sep 05, 2012 04:13 pm | Updated Date: Sep 05, 2012 04:13 pm