Wednesday, September 5, 2012
Widely used fingerprint reader exposes Windows passwords in seconds
Fingerprint-reading software preinstalled on laptops sold by Dell, Sony, and at least 14 other PC makers contains a serious weakness that makes it trivial for hackers with physical control of the machine to quickly recover account passwords, security researchers said.
The UPEK Protector Suite, which was acquired by Melbourne, Florida-based Authentec two years ago, is marketed as a secure means for logging into Windows computers using an owner's unique fingerprint, rather than a user-memorized password. In reality, using the software makes users lesssecure than they otherwise would be. When activated, the software writes Windows account passwords to the registry and encrypts them with a key that is easy for hackers to retrieve. Once the key has been acquired, it takes seconds to decrypt the password.
"After analyzing a number of laptops equipped with UPEK fingerprint readers and running UPEK Protector Suite, we found that your Windows account passwords are stored in Windows registry almost in plain text, barely scrambled but not encrypted," said an advisory issued by Elcomsoft, a Russia-based developer of password-cracking software. "Having physical access to a laptop running UPEK Protector Suite, we could extract passwords to all user accounts with fingerprint-enabled logon."
When Protector Suite isn't activated, Windows doesn't store account passwords in the registry unless users have specifically configured an account to automatically log in. Security experts have long counseled people not to use automatic login.
That means computers that use the UPEK app are at a severe disadvantage compared with people who use a strong password to log in to a Windows account. The most obvious disadvantage is for those computers that have a Windows feature known as Encrypting File System enabled to prevent third parties from accessing sensitive files or folders. The key that unlocks that encrypted data is controlled by a Windows account password. Once the password is retrieved, the EFS-encrypted data stored on the computer can quickly be decrypted.
Further, having quick access to the account password could unlock other data that might otherwise be harder to obtain. The Windows Data Protection application programming interface, for example, is also closely tied to account passwords and controls access to credentials used by Outlook, Internet Explorer, and possibly other applications. Of course, any time a PC is physically controlled by a hacker, its passwords are vulnerable to cracking attacks that have grown significantly more powerful in recent years. But without the use of the UPEK Protector Suite, hackers have access only to one-way password hashes, which, depending on the complexity of the underlying passcode, can take years or centuries to recover using brute-force methods. Use of the fingerprint software guarantees the success of the cracking operation, and it can also significantly reduce the time it takes.
The easily cracked passwords are stored in the Windows registry even after the Protector Suite software has been deactivated, according to the Elcomsoft advisory. It is only removed when a user manually deletes it. The precise registry location of the encrypted password is not yet known. This article will be updated with instructions for locating and removing it if that information can be obtained.
Authentec no longer actively markets Protector Suite, but according to archived data from the UPEK website, the app ships—or used to ship—on laptops manufactured by 16 different companies. In addition to Dell and Acer, other PC makers include Amoi, Asus, Clevo, Compal, Dell, Gateway, IBM/Lenovo, Itronix, MPC, MSI, NEC, Sager, Samsung, Sony, and Toshiba.
It's unclear if Authentec officials plan to recall the product or issue an advisory warning laptop owners of the vulnerability. Company representatives didn't respond to Ars Technica e-mails requesting comment for this article. The Elcomsoft findings follow research published last month that showed that password hints are easily extracted from Windows 7 and Windows 8 machines.
The discovery serves as a useful reality check for marketers who portray fingerprints and other user biometrics as a panacea for the difficulty of remembering and securing passwords. In fact, biometric readers are only as secure as the software that implements them. And even when devices are free of such implementation errors, biometrics such as fingerprints and iris scans may be vulnerable to cloning, opening up the possibility of a new class of attacks on the alternate authentication methods.
According to Elcomsoft, Authentec officials have already said they're aware of the weakness. If true, it's disappointing that the company has yet to share that knowledge with the millions of people who likely have the software installed on their computers. A tutorial included with UPEK Protector Suite 2009 installed on a Sony Vaio touts the convenience of the application with the tag line: "Protect your digital privacy." It goes on to emphasize the benefits of using Protector Suite to encrypt files and folders. Now that a weakness has come to light that seriously undermines those assurances, Authentec should recall the software, or at the very least warn users that it is susceptible to serious attack.