ElcomSoft, a Russian digital forensics firm, has revealed a major vulnerability in UPEK Protector Suite, a popular biometric security solution that has shipped on machines from practically every large PC vendor, including Acer, Asus, Dell, Lenovo, MSI, Samsung, Sony and Toshiba. According to the researchers, the flaw makes UPEK’s fingerprint reading software less secure than using Windows’ standard password option.
Having analyzed various machines outfitted with UPEK fingerprint readers and software, ElcomSoft discovered that it stores Windows account passwords in the registry in nearly plaintext. Passwords are reportedly “barely scrambled but not encrypted,” allowing someone with physical access to the machine to extract all fingerprint-enabled user account passwords — something that reportedly wouldn’t be possible otherwise.
“Windows itself never stores account passwords [in plaintext] unless you enable automatic login, which is discouraged by Microsoft,” ElcomSoft wrote. “No corporate user will ever use this automatic logon feature, which is often banned by corporate security policies.” Naturally, the concern is that fingerprint authentication is generally an acceptable form of logon security in enterprise environments, leaving many exposed.
“The common perception is that biometric logon is just as, or maybe more secure than password-based one,” ElcomSoft continued. “While biometric logon could be implemented that way, UPEK apparently failed. Instead of using a proper technique, they preferred the easy route: UPEK Protector Suite simply stores the original password to Windows account, making it possible for an intruder to obtain one.”
The company noted that this isn’t necessarily a huge concern for folks with unencrypted hard drives. Someone with physical access to your unencrypted drive could access its contents without a password anyway, whether by loading a live OS, attaching it to another machine or various other methods. Users who rely on Windows’ EFS encryption attribute are the ones who should be most worried, ElcomSoft warned.
“EFS encryption is extremely strong and impossible to break without knowing the original Windows account password. And here comes UPEK Protector Suite. Conveniently storing your plain-text account password, the suite gives the intruder the ability to access your used-to-be-protected EFS encrypted files. Bummer.”
ElcomSoft urged all UPEK Protector Suite users to disable the software’s Windows logon feature, which should clear the stored passwords for your account. The company has notified UPEK about the issue and although it has pledged not to disclose the full details of its research, it has prepared a demo that displays the partial logon credentials of a UPEK-enabled account. This demo will not be made available to the general public.