Slashdot Mirror
UPEK Fingerprint Reader Software Puts Windows Passwords At Risk
colinneagle writes with this excerpt from Network World: "If your password management system is to use your 'fingerprint as your master password,' and if your laptop uses UPEK software, then you'll not be happy to know your Windows password is not secure and instead is easily crackable. In fact, 'UPEK's implementation is nothing but a big, glowing security hole compromising (and effectively destroying) the entire security model of Windows accounts.' On the Elcomsoft blog about 'advanced password cracking insight,' Olga Koksharova had bad news for people who thought they were more secure by using biometrics, a UPEK fingerprint reader, instead of relying on a password. UPEK stores Windows account passwords in the registry 'almost in plain text, barely scrambled but not encrypted.' It's not just a few that are susceptible to hacking. 'All laptops equipped with UPEK fingerprint readers and running UPEK Protector Suite are susceptible. If you ever registered your fingerprints with UPEK Protector Suite for accelerated Windows login and typed your account password there, you are at risk.'"
...I don't really know.
Criminals have stopped chopping off right index fingers. More news at 11
sudo make me a sandwich
Using fingerprint data as an decryption key is very hard as the information is quite noisy. However, an decryption key is still needed to fetch the password (which, in turn, is needed for example to access encrypted files). Without a secure boot infrastructure a TPM doesn't help, so that leaves only the possibility of storing the key on-disk. Once the key is located, obtaining the password is trival so it doesn't really matter whether strong encryption is used.
This means that probably all fingerprint scanner software suffers from this flaw.
so how long has this been in use before somebody noticed the passwords were effectively PLAIN TEXT??
folks this is about as smart as swimming near Amnity Island with an open wound on your ankle.
I propose any kind of Silver Bullet be subjected to the Mitnick Test (throw it at a group of blackhats and then see how long it takes them to break it fix what you find and then pay them enough to keep quiet)
Any person using FTFY or editing my postings agrees to a US$50.00 charge
We were issued laptops with fingerprint biometrics in a science class a couple years ago. I swiped my finger on my friends laptop and it logged into his account for me. Hopefully, despite this new found security hole, they have come a long way since then. I haven't seen these used anywhere. Does anyone find fingerprint biometrics to be useful? Secure? Maybe it's really just to keep the honest people honest.
As the article states, individually encrypted files using EFS would normally be secure even with the method you mention since that method does not obtain the Windows password, You can only access machine unencrypted files, or reset a password. Windows itself is as secure as you could expect. As you said the same can be done to Linux.
Still I can imagine some people think Windows machines are "secure" somehow if they just have a password on their account. These people would likely assume their system would be more secure with the UPEK reader.
Also it sounds like this UPEK software has more features, probably browser passwords and such, so there may be more problems using the UPEK software. This article doesn't state it though.
Interestingly the manufacturer is claiming passwords are stored using AES. It would be interesting to see someone else follow up and see who is telling the truth.
Not a surprise that it's vulnerable, but it is surprising how badly they stored the passwords.
Remember that Simpsons ep where Smithers and Burns have to enter their top secret command post? They pass through a dozen high-tech security portals worthy of a James Bond movie to get there. Unexplained is why they didn't just use the other entrance, which consists of a broken screen door.
Then there's the ISP I used to work for that advertises "Biometric security access". What is means is that a server room in an office building has a lock that can be opened by employee fingerprint. Of course, it can also be opened by an ordinary key, which is what building security uses.
People buy security tech, and they think they've solved a security problem. Once again I quote Bruce Schneier: security is a process, not a product.
The best authentication has three components:
1. Something you know (such as a passphrase), plus...
2. Something you own (such as the ID number from a FOB which rotates IDs every minute), plus...
3. Something you are (biometrics).
You don't use biometrics *instead* of the passphrase or FOB; you use it to augment the effectiveness of those techniques.
Koans and fables for the software engineer
Secure boot has no relevance at all.
This situation is the same for ANY biometric login method. The actual password has to be stored for decryption.
It is the same software. It usually says "Powered by Blah Blah". My HP software uses a newer version of the same software (branded as HP Simple Pass 2010 Identity Protection powered by AuthenTech), which supposedly is not vulnerable.
Ridiculously hard. Fingerprints are biometric, they change. You have a rough model that's similar to a rough model snapshot of your fingerprint pressed, squished, scanned, etc. Your print may possibly be rotated--orientation is random, but comparable to a known snapshot. Basically every time you image the fingerprint you get a slightly different result, and you apply fuzzy logic to work out if it matches prior data.
This also means that using fingerprint uniqueness points to generate some sort of AES key would store your password in plain text: the finger print is stored somewhere for verification, and therefor the finger print model can be used to derive the encryption key, and thus the key is stored with the ciphertext, thus plain text. (By this logic, if you attach your front door key to your front door with a magnet and then lock your front door and leave, your house is unlocked--any moron can pluck the key dangling by the door knob and open your door, you've simply altered the interface a bit. Key under the doormat is the same, takes a little more time examining it to figure out how you're supposed to open the door but you can, it's not really locked.)
Support my political activism on Patreon.
All consumer biometric devices should not be considered "security" devices, but rather "convenience" devices. It makes it easier to log in than typinig a password, and it's more convenient than using an OTP on the desktop. But it's not secure as a password because the password store is on the computer.
As far as password lockers go, I'm inclined to trust a password store encrypted by a passphrase (like lastpass) rather than a biometric. That's because with a passphrase, you can have a very precise method of unlocking the password store. The passphrase itself vouches for you and is repeatable. A biometric scan may vouch for you, but the values it returns are not a key. Some other key is used to decrypt the password store. And that "some other key" is open to the whims of how it's implemented by the device maker.
One caveat, on the security scale, commercial biometric devices are a different animal altogether
A search of Dell shows a number of machines that use it linky
People in cars cause accidents....accidents in cars cause people
What i don't understand is why in Avengers Loki used a device to actually break skin/eyeball to relay an eye scan remotely. it seems needlessly cruel. The little device could have easily taken a scan and sent the information instead of cutting into the guy's face. Was the guy going to have to give up an eye if he himself ever needed to get at the iridium?
No one will ever figure out how to "decrypt" it.
Psssshaw. My voice is my password.
I always figured that the digital representation of your fingerprint would be extracted and copied. With that copy a number of options could be possible. Perhaps the scan can be bypassed entirely and the biometric computer fed the digital copy. Or perhaps the copy can be used with the reverse-algorithm from the reverse-engineered reader to produce a fingerprint that will have the same "hash value" even if it is not exactly like the owner's. Any one of these "solution" fingerprints could be printed onto paper or some material that would allow proper scanning as a normal finger.
,far easier to just read the users password out of the registry from where the biometric system wrote it.
Let us not forget the rumored "gummy bear" attack on biometric readers in the past.
But no, I guess it is far
Under recent versions of Windows, services can be configured to "log on" as a particular user in order to run. This requires the password to be entered.
If the user's password is later changed, the services will not run, because the "log on" fails. This implies that the password is being stored (perhaps encrypted) somewhere in a fashion that the password can be recovered (in order to be used by the service to "log on").
If the OS can recover the user's password to log on a service, then other programs should also be able to recover the password.
Have I misunderstood what is happening to the user login, or is it another hole?
The real "Libtards" are the Libertarians!
No it says that windows has a "Security model" I am guessing it is a Model of the HMS Titanic.
Not necessarily. It *might* be possible to store the data used during the verification process in such a way that it would not be sufficient to reconstruct the key data in the absence of the actual print. For example, if you need ten data points, you might choose fifty data points and store a copy of forty of them, which you would then use to distort the scanned image so that the remaining ten would be correct with a high degree of probability. That *might* get you your ten robust data points without actually telling you anything about them.
Alternatively, you could use a cryptographic system designed so that each piece of data provides a portion of a key, and any k of the n pieces of data are sufficient to reconstruct the key. This might be done in any number of ways, mostly involving sophiticated checksums and error correction, and you might even have to have the equivalent of a .par file for your crypto key, but it should be possible, at least in theory.
Or it might require combining techniques like these with who-knows-how-many other techniques.
I have no idea if anybody actually has developed such technology, though. Biometrics are insecure for so many other reasons (triviality of duplication and the inability to change them being the most obvious) that they really aren't that interesting to me. :-)
Check out my sci-fi/humor trilogy at PatriotsBooks.
The summary states that the passwords are scrambled but not encrypted. I fail to see the distinction. If I take a word and reverse it, that is a form of encryption. Sure, it is a very weak form, but it is.
And if you're going to just store the session key in the registry then it doesn't matter if they're using AES with a 5000-bit key.
If they used strong encryption on the password database, and then used TPM to store the session key, with a full trusted boot chain to the software needed to obtain the keys, then that would be pretty strong. However, I don't know that enough of Palladium was ever implemented to make this practical. Full-disk encryption software tends to work this way, but that runs before the bootloader, so it only needs the boot chain to be secure up to that point.
Can anyone tell me which registry entries I should check for? I'd like to verify that uninstalling the software has removed my "barely scrambled" password from the registry.
Insert self-referential sig here.
As others have pointed out all over, what you're suggesting isn't feasible. What is feasible is that the sensor acts like a secure key store. When a finger is swiped that matches an enrolled finger, the sensor releases a key associated with that enrollment.
Yes, social engineer a finger print.
What I don't get is why it needs to store the windows account password at all. If they wrote a proper authentication plugin for the windows security model, they would just need to know the user's SID and have permission to go 'Yep, the person at the console is in fact this SID' without needed to provide the password at all. I've done this before, it's really not all that hard either, day or 2 of digging through docs and actual coding. *confused*
I don't see on a modern laptop why UPEK would even be installed in the first place. If a laptop has a fingerprint scanner, Windows 7 or even Vista will find it and have a native process in place to enroll fingerprints and attach that as a credential to logging in.
I don't know how secure W7 stores that info, but I'm pretty sure it wouldn't be something trivial to decode. Add a TPM chip and BitLocker [1] to the mix, and the fingerprint database is definitely well protected against intrusion.
[1]: If you are leery like me, you use a TPM + PIN + a nonce on a USB flash drive. This way, if the laptop is off or hibernated and it gets stolen, if the USB drive is still in the pocket, then there is assurance that the laptop's OS is well locked down. Even then, I like working completely from remote via GoToMyPC, or some other protocol so the laptop essentially is a glorified terminal. That way, if something does happen and the laptop is happily running and unattended, the damage is still minimal. If I have to store stuff locally, I use a TrueCrypt volume with keyfiles stored on a hardware-secured USB flash drive [2].
[2]: Only one I've really seen that is well engineered are the old IronKeys, now made by Imation. The advantage of these is brute force resistance. 10 wrong password guesses, the key either fries itself or erases itself depending on type.
Easily done. Here, touch this piece of tape. I now have your fingerprint. A good 2D camera with magnification and a 2D/3D modeling program and a 3D printer and you could print your own fingerprint.
Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
Been a long time, but I recall that you could even write custom authentication plugins in VBScript/JScript back in the day and most certainly you can do it with .NET. Why anyone would build a system this way is beyond me.
The world's burning. Moped Jesus spotted on I50. Details at 11.
Right, but then what if you have your home directory encrypted? Usually this key is not stored but derived from your password at login time. You can't do that with fingerprints.
Ah right. Does windows allow you to change the encryption key on the home directory after the fact? I guess it must since people change their passwords. UPEK could re-encrypt it using a key derived from the fingerprint(s) or such
Hard as every scan is different. Slightly more/less pressure, slightly different finger angle...
The master key is in a lockbox at the bottom of the Atlantic, encrypted with a Caesar cipher, written backwards in runic with lemon juice.
But your fingerprint is not read 100% the same every time so you would not be able to decrypt any of your files.
Not the physical fingerprint, the mathematical relationship between primary features in the image kind of 'fingerprint'. You know.. the mechanism they use to match your fingerprint *in the first place* to authenticate you?
Right, but they don't require a 100% match on the extracted features. Also, if the key is derived from the fingerprint, and the fingerprint template is stored on the disk, then really the key is just being stored on the disk in a roundabout way and you don't have any better security anyway.
Read up on bitlocker @ wikipedia, the key derived from the user provided password isn't the only means of decryption. I'm SURE they could find a better way than storing the password. And if not, they can at least make it harder to get at. If anyone wants to throw enough resources at it, they'll decrypt your drive anyway. That doesn't mean you should make it easy for them.
Would that work for Network logins?
If you've got mapped drives, I'd imagine that the server is going to need more than a "yup, this is Bob all-right" from the client machine. If the user hasn't typed his/her password in at login, then how would it get to the remote server without being stored somewhere?
And without an authenticating master password, I don't see a way to safely store secure data. There may be an obscure alghorythm or something of the sort to mash it up, but eventually it needs to be decryptable, which - without human intervention - means hard-coded methods of doing so which are subject to discovery and abuse.
Similar issues arise in Linux-land if you have an encrypted password keystore and auto-login. You need to either login to the keystore, or re-enter your wifi password to connect to an AP, or have the AP password saved in a way that is plaintext or encrypted in a way that could be duplicated.
No, the problem isn't that you're storing the key; the problem is you have to store the key. If you take 50 uniqueness points from a fingerprint, you'll get 50 points that are almost close enough. You don't get numbers {3, 7, 15, 29, 37, 42} and then again get {3, 7, 15, 29, 37, 42}; what you get is {3, 7, 15, 29, 37, 42} and you store that, and when you plug in you get {3, 8, 14, 27, 36, 44} and that's close enough that it's 99.99% likely to be the same fingerprint. If you generate a key with {3, 8, 14, 27, 36. 44} it won't match the key you generated with {3, 7. 15, 29. 37, 42} and you won't be able to decrypt shit.
Support my political activism on Patreon.
Also, if you want to use (n) keys to reconstruct, you use a finite field and plot a polynomial of degree (n-1). Two points? Plot a line. Three? Quadratic. Four? Cubic. Take four points on a cubic polynomial and run gauss jordan elimination, and you get an equation that generates ALL the points. Then pull the Y intercept as the key. So take key K and generate (rand1)x^2 + (rand2)x + K and pull 15 points, use any 3 points to solve for rand1, rand2, and K.
Support my political activism on Patreon.