Laptop fingerprint reader destroys 'entire security model of Windows accounts'

Have a laptop with a fingerprint reader and use that biometic security? Most popular laptops shipped with a UPEK fingerprint reader. If yours did, then sadly your password is not secure. It's easy to crack and, in fact, destroys 'the entire security model of Windows accounts.'

If your password management system is to use your "fingerprint as your master password," and if your laptop uses UPEK software, then you'll not be happy to know your Windows password is not secure and instead is easily crackable. In fact, "UPEK's implementation is nothing but a big, glowing security hole compromising (and effectively destroying) the entire security model of Windows accounts." UPEK fingerprint reader and software came installed on laptops manufactured from any of these 16 companies: Acer, Amoi, ASUS, Clevo, Compal, Dell, Gateway, IBM/Lenovo, Itronix, MPC, MSI, NEC, Sager, Samsung, Sony and Toshiba.

On the Elcomsoft blog about "advanced password cracking insight," Olga Koksharova had bad news for people who thought they were more secure by using biometrics, a UPEK fingerprint reader, instead of relying on a password. UPEK stores Windows account passwords in the registry "almost in plain text, barely scrambled but not encrypted." It's not just a few that are susceptible to hacking. "All laptops equipped with UPEK fingerprint readers and running UPEK Protector Suite are susceptible. If you ever registered your fingerprints with UPEK Protector Suite for accelerated Windows login and typed your account password there, you are at risk."

We could extract passwords to all user accounts with fingerprint-enabled logon. Putting things into perspective: Windows itself never stores account passwords unless you enable "automatic login", which is discouraged by Microsoft." In fact, Windows warns users that automatic login is a security risk before allowing activation of the setting.

So if you subscribed to the theory "password management at your fingertips," believing that biometrics increased your security via using UPEK Protector Suite, and also encrypted files or folders with Windows Encrypting File System (EFS), then Elcomsoft has even worse news for you.

EFS encryption is extremely strong and impossible to break without knowing the original Windows account password. And here comes UPEK Protector Suite. Conveniently storing your plain-text account password, the suite gives the intruder the ability to access your used-to-be-protected EFS encrypted files. Bummer.

UPEK Protector Suite software shipped with laptops equipped with UPEK fingerprint readers until 2010 when the company was acquired by AuthenTec and switched to TrueSuite software. Elcomsoft warned, however, the most "existing laptop users will simply stay with the old flawed software, not feeling the need to upgrade." Furthermore, "if you care about security of your Windows account, launch UPEK Protector Suite and disable the Windows logon feature. That should clear the stored password for your account. Note that you should clear all stored account passwords to protect all user accounts."

Elcomsoft often writes about "password recovery" and is a member of the Russian Cryptology Association (RCA) and the Computer Security Institute. Yet it is not the only firm that has found flaws in UPEK software. UPEK Protector Suite also came under fire last year when the Vulnerability Laboratory disclosed that the UPEK Protector Suite 2011 was vulnerable to buffer overflow.

Ars Technica's Dan Goodin reported that AuthenTec is allegedly "aware of the weakeness" in the UPEK Protector Suite. Yet AuthenTec has neither recalled the software, nor issued a security warning—despite the fact that the digital privacy of millions of people is now at risk.

AuthenTec reported revenue of $20.5 million in the second quarter of 2012. The company's last two news releases pertained to AuthenTec's "first military-grade encryption offering for data stored on Android devices and removable storage media" and AuthenTec's VPN security and FIPS-certified cryptographic security being integrated into Pantech's newest Android smartphones.

According to Sophos Naked Security, "Brent Dietz, the Director of Corporate Communications at Authentec, said that his company can’t find any evidence to support those [Elcomsoft] claims." Dietz added that "ProtectorSuite uses AES encryption to protect stored passwords and that the company would never leave passwords in an unencrypted state in its software – past or present. Should the company find evidence to support Elcomsoft's claims, it will push a patch to customers immediately."

Copyright © 2012 IDG Communications, Inc.

Make your voice heard. Share your experience in CSO's Security Priorities Study.