UPEK Fingerprint Reader Software Puts Windows Passwords At Risk

colinneagle writes with this excerpt from Network World: "If your password management system is to use your 'fingerprint as your master password,' and if your laptop uses UPEK software, then you'll not be happy to know your Windows password is not secure and instead is easily crackable. In fact, 'UPEK's implementation is nothing but a big, glowing security hole compromising (and effectively destroying) the entire security model of Windows accounts.' On the Elcomsoft blog about 'advanced password cracking insight,' Olga Koksharova had bad news for people who thought they were more secure by using biometrics, a UPEK fingerprint reader, instead of relying on a password. UPEK stores Windows account passwords in the registry 'almost in plain text, barely scrambled but not encrypted.' It's not just a few that are susceptible to hacking. 'All laptops equipped with UPEK fingerprint readers and running UPEK Protector Suite are susceptible. If you ever registered your fingerprints with UPEK Protector Suite for accelerated Windows login and typed your account password there, you are at risk.'"

No surprise

Using fingerprint data as an decryption key is very hard as the information is quite noisy. However, an decryption key is still needed to fetch the password (which, in turn, is needed for example to access encrypted files). Without a secure boot infrastructure a TPM doesn't help, so that leaves only the possibility of storing the key on-disk. Once the key is located, obtaining the password is trival so it doesn't really matter whether strong encryption is used.

This means that probably all fingerprint scanner software suffers from this flaw.

Re:No surprise

[bluefoxlucid]

Basically if the fingerprint scanner integrated with Windows Login the same way as third party login systems like Novel Networks et al, it wouldn't need your password until you tried to access an encrypted file. The flaw here is they hack it out by sending your password to Windows; fingerprint data is too noisy, you compare it as "sufficiently similar" but it's going to be too unique to generate a key from with any repeatability and high entropy. Thus they store the key UUENCODED or BASE64 or MIME to obscure it, which doesn't work on hackers. Instead, they should hook the login process and directly complete user authentication without a password, and let windows ask for a password if it tries to touch an EFS file.

Security Theature NOW ON BROADWAY

[RobertLTux]

so how long has this been in use before somebody noticed the passwords were effectively PLAIN TEXT??

folks this is about as smart as swimming near Amnity Island with an open wound on your ankle.

I propose any kind of Silver Bullet be subjected to the Mitnick Test (throw it at a group of blackhats and then see how long it takes them to break it fix what you find and then pay them enough to keep quiet)

Re:Security Theature NOW ON BROADWAY

[gstoddart]

so how long has this been in use before somebody noticed the passwords were effectively PLAIN TEXT??

You know, this kind of stuff happens all of the time -- because people are lazy, under pressure from the boss, or just plain stupid.

Several years ago, I was helping to install some software which was supposed to go onto the machine in the DMZ and reach back into the firewall to access a database.

It turns out the software stored the admin password in cleartext in a registry key (zero attempts to obfuscate, let alone encrypt). I started shouting this quite loudly to anybody who would listen, and tried to explain why this was ludicrous.

Eventually I got told it was a low risk, and that I should shut up. Sometimes, management overrules you on these things.

Sadly, I'm betting someone brought this to someone's attention, and got told to STFU.

Re:This is a non-issue.

[The+MAZZTer]

As the article states, individually encrypted files using EFS would normally be secure even with the method you mention since that method does not obtain the Windows password, You can only access machine unencrypted files, or reset a password. Windows itself is as secure as you could expect. As you said the same can be done to Linux.

Still I can imagine some people think Windows machines are "secure" somehow if they just have a password on their account. These people would likely assume their system would be more secure with the UPEK reader.

Also it sounds like this UPEK software has more features, probably browser passwords and such, so there may be more problems using the UPEK software. This article doesn't state it though.

Interestingly the manufacturer is claiming passwords are stored using AES. It would be interesting to see someone else follow up and see who is telling the truth.

Re:Is it really secure anyways?

I haven't seen these used anywhere. Does anyone find fingerprint biometrics to be useful?

It is very useful to laptop salesmen and computer manufacturers as a selling point/gimmick for the clueless masses.

Re:This is a non-issue.

[cryptizard]

Right, but they don't require a 100% match on the extracted features. Also, if the key is derived from the fingerprint, and the fingerprint template is stored on the disk, then really the key is just being stored on the disk in a roundabout way and you don't have any better security anyway.