Security flaw in fingerprint recognition software exposes Windows passwords

Following research by security consultants, it now stands confirmed that on gaining physical control of PCs, hackers can potentially extract Windows account passwords, taking advantage of a loophole. A report by Ars Technica now confirms the vulnerability was found on PCs sold by Dell, Acer, and at least 14 other manufacturers.  


The report highlights that the loophole exists in several versions of the fingerprint-reading software known as UPEK Protector Suite. It added that Apple bought Authentec that had previously acquired the technology from privately held UPEK in 2010. 


Early last month, an advisory issued by ElcomSoft revealed that a major security flaw had been discovered in the UPEK Protector Suite, a fingerprint reading software. This software had been shipping with most laptops equipped with UPEK fingerprint readers until Authentec acquired the company, and moved to another software. In its advisory, ElcomSoft detailed further that till very recently most major manufacturers such as Acer, ASUS, Dell, Gateway, Lenovo, MSI, NEC, Samsung, Sony, and Toshiba were using fingerprint readers manufactured by UPEK. 

Fingerprint reader security hole exposed (Image credit: Getty Images)

Security consultants confirm flaw (Image credit: Getty Images)



However now, a month later, two security consultants confirmed the existence of the vulnerability, and subsequently released an open-source software "that makes it easy to exploit it". The consultants found that easily deciphered passwords are stored in one of several registry keys located in HKEY_LOCAL_MACHINE Software Virtual Token Passport, depending on the version of the application. "The duo said they released the software and additional information so that penetration testers, who are paid to penetrate the defenses of their customers, can exploit the weakness," adds the Ars Technica report. 


The report quotes Brandon Wilson, one of the consultants, "From a penetration testing perspective, local administrator access is required to obtain the necessary registry key's value, so it only matters if you already have control of the PC. But since so many of these devices are used in corporate environments, it makes it easy to obtain domain credentials, and from there, easily expand an attack to other systems".


If the Protector Suite has not been activated, Windows does not save account passwords in the registry -- not unless users configure an account for automatic log-in. By deactivating the Windows login from within the Protector Suite, the password from the registry key will not be gone. "If the "passport" for that user is deleted from within the application, the password is also deleted. When uninstalling the application, an option is presented to the user to also delete the passport data. If left, the password remains, and if removed, the password is deleted, Wilson said," adds the report.


The UPEK Protector Suite manages a fingerprint reading hardware using which users can do away with typing passwords and instead swipe a finger to the same effect. Over time, the UPEK Protector Suite caches passwords, and users are offered almost instant logins to websites. “Logging into Windows by swiping a finger instead of clicking and typing a (probably long and complex) password sounds tempting. And, it works. A simple swipe of your finger, and you’re in. Wonderful; but what about security?,” the post reveals. 


ElcomSoft mentions in its post that when several laptops running the UPEK Protector Suite were analysed, it was found that several Windows account passwords were stored in Windows registry in almost plain text -- “barely scrambled but not encrypted".

Published Date: Oct 10, 2012 13:29 PM | Updated Date: Oct 10, 2012 13:29 PM