UPEK Fingerprint Reader Software Puts Windows Passwords At Risk

colinneagle writes with this excerpt from Network World: "If your password management system is to use your 'fingerprint as your master password,' and if your laptop uses UPEK software, then you'll not be happy to know your Windows password is not secure and instead is easily crackable. In fact, 'UPEK's implementation is nothing but a big, glowing security hole compromising (and effectively destroying) the entire security model of Windows accounts.' On the Elcomsoft blog about 'advanced password cracking insight,' Olga Koksharova had bad news for people who thought they were more secure by using biometrics, a UPEK fingerprint reader, instead of relying on a password. UPEK stores Windows account passwords in the registry 'almost in plain text, barely scrambled but not encrypted.' It's not just a few that are susceptible to hacking. 'All laptops equipped with UPEK fingerprint readers and running UPEK Protector Suite are susceptible. If you ever registered your fingerprints with UPEK Protector Suite for accelerated Windows login and typed your account password there, you are at risk.'"

a secure boot doesn't even com into it.

Secure boot has no relevance at all.

This situation is the same for ANY biometric login method. The actual password has to be stored for decryption.

Re:how hard would it have been

[bluefoxlucid]

Ridiculously hard. Fingerprints are biometric, they change. You have a rough model that's similar to a rough model snapshot of your fingerprint pressed, squished, scanned, etc. Your print may possibly be rotated--orientation is random, but comparable to a known snapshot. Basically every time you image the fingerprint you get a slightly different result, and you apply fuzzy logic to work out if it matches prior data.

This also means that using fingerprint uniqueness points to generate some sort of AES key would store your password in plain text: the finger print is stored somewhere for verification, and therefor the finger print model can be used to derive the encryption key, and thus the key is stored with the ciphertext, thus plain text. (By this logic, if you attach your front door key to your front door with a magnet and then lock your front door and leave, your house is unlocked--any moron can pluck the key dangling by the door knob and open your door, you've simply altered the interface a bit. Key under the doormat is the same, takes a little more time examining it to figure out how you're supposed to open the door but you can, it's not really locked.)

Re:This is a non-issue.

[anomaly256]

What I don't get is why it needs to store the windows account password at all. If they wrote a proper authentication plugin for the windows security model, they would just need to know the user's SID and have permission to go 'Yep, the person at the console is in fact this SID' without needed to provide the password at all. I've done this before, it's really not all that hard either, day or 2 of digging through docs and actual coding. *confused*

Re:No surprise

[cryptizard]

There is actually some new research into exactly this problem. Using what they call "fuzzy extractors" you can derive a secure key from noisy information. Really cool, check it out http://www.cs.bu.edu/~reyzin/fuzzy.html