Does a fingerprint scanner that's widely used on laptops sold by Dell and Sony expose Windows passwords, or not?
The answer is unclear after Authentec, the maker of the biometric scanners refuted claims by the Russian security firm Elcomsoft that its management software contained a dangerous security hole.
Authentec, which makes the widely used UPEK fingerprint scanner, said on Wednesday that it couldn't find any evidence to support the allegation that its software stores Windows passwords insecurely, exposing customers to potential hacking.
In a statement to Naked Security, the Melbourne, Florida security company said that claims by Elcomsoft that its ProtectorSuite management software stored Windows passwords in a "barely obfuscated form" within the Windows registry were "false" and that requests for more information from Moscow-based Elcomsoft have gone unanswered.
In an August 28th blog post titled "UPEK Fingerprint Readers: a Huge Security Hole," Elcomsoft director of Marketing Olga Koksharova described what she said was a dangerous security issue with ProtectorSuite, a Windows application that is used to manage interactions with UPEK finger scanners.
The company's researchers "found that... Windows account passwords are stored in Windows registry almost in plain text, barely scrambled but not encrypted. Having physical access to a laptop running UPEK Protector Suite, we could extract passwords to all user accounts with fingerprint-enabled logon."
Authentec acquired the UPEK scanner product with its acquisition of PeerSec Networks in 2010. The hardware enables users to substitute a biometric scan of their fingerprint for a Windows login.
With physical access to a laptop running ProtectorSuite, Koksharova said, "we could extract passwords to all user accounts with fingerprint-enabled logon."
While knowing the Windows passwords associated with a finger scanner-enabled account doesn't allow an attacker to circumvent the scanned login, they could allow an attacker with access to the hard drive to view even encrypted content on that drive, Koksharova warned.
The post provided few details, and Koksharova saying that Elcomsoft is withholding details of the vulnerability "in the interests of public responsibility."
But Brent Dietz, the Director of Corporate Communications at Authentec, said that his company can’t find any evidence to support those claims, and that conversations with Koksharova suggest that Elcomsoft's warning may be overblown.
"Olga could only say the following : 'It was an old version of ProtectorSuite tested over half a year ago that held account passwords protected with fingerprint protection in the registry.' The problem as far as I know is fixed in recent updates," Dietz wrote to Naked Security in an email.
Elcomsoft has not provided any more details to Authentec, but the company says that it will do a "thorough analysis on anything we may receive from Olga or the Elcomsoft team."
Dietz said that ProtectorSuite uses AES encryption to protect stored passwords and that the company would never leave passwords in an unencrypted state in its software – past or present. Should the company find evidence to support Elcomsoft's claims, it will push a patch to customers immediately, Dietz wrote.
If Elcomsoft's claims hold up, it could pose a serious problem for organizations that rely on the fingerprint scanners for access to laptop and desktop systems. The UPEK scanners and Protector Suite software are sold to a long list of PC makers, so the damage of any hardware or software vulnerability isn’t limited to a particular hardware maker.
Elcomsoft, based in Moscow, Russia, makes a range of enterprise security products including a wireless security auditor, password recovery tool and a forensic toolkit for devices running Apple’s iOS software.
The company has been a gadfly to prominent firms before.
Notably it revealed tools for cracking passwords on both RIM Blackberry and iPhone devices. In 2001, it was also party to a high profile criminal case, brought by the U.S. Department of Justice, that alleged the company and its employees violated the U.S. Digital Millennium Copyright Act when it produced software that cracked Adobe Systems' e-book file format.
An Elcomsoft employee and Russian citizen, Dmitry Sklyarov, was arrested and detained in the U.S. in that case – which was controversial because creation of the tool in Russia was not a crime.Follow @paulfroberts
Fingerpint scanning image from Shutterstock.