Sophos Cloud Optix
Does a fingerprint scanner that’s widely used on laptops sold by Dell and Sony expose Windows passwords, or not?
The answer is unclear after Authentec, the maker of the biometric scanners refuted claims by the Russian security firm Elcomsoft that its management software contained a dangerous security hole.
Authentec, which makes the widely used UPEK fingerprint scanner, said on Wednesday that it couldn’t find any evidence to support the allegation that its software stores Windows passwords insecurely, exposing customers to potential hacking.
In a statement to Naked Security, the Melbourne, Florida security company said that claims by Elcomsoft that its ProtectorSuite management software stored Windows passwords in a “barely obfuscated form” within the Windows registry were “false” and that requests for more information from Moscow-based Elcomsoft have gone unanswered.
In an August 28th blog post titled “UPEK Fingerprint Readers: a Huge Security Hole,” Elcomsoft director of Marketing Olga Koksharova described what she said was a dangerous security issue with ProtectorSuite, a Windows application that is used to manage interactions with UPEK finger scanners.
The company’s researchers “found that… Windows account passwords are stored in Windows registry almost in plain text, barely scrambled but not encrypted. Having physical access to a laptop running UPEK Protector Suite, we could extract passwords to all user accounts with fingerprint-enabled logon.”
Authentec acquired the UPEK scanner product with its acquisition of PeerSec Networks in 2010. The hardware enables users to substitute a biometric scan of their fingerprint for a Windows login.
With physical access to a laptop running ProtectorSuite, Koksharova said, “we could extract passwords to all user accounts with fingerprint-enabled logon.”
While knowing the Windows passwords associated with a finger scanner-enabled account doesn’t allow an attacker to circumvent the scanned login, they could allow an attacker with access to the hard drive to view even encrypted content on that drive, Koksharova warned.
The post provided few details, and Koksharova saying that Elcomsoft is withholding details of the vulnerability “in the interests of public responsibility.”
But Brent Dietz, the Director of Corporate Communications at Authentec, said that his company can’t find any evidence to support those claims, and that conversations with Koksharova suggest that Elcomsoft’s warning may be overblown.
“Olga could only say the following : ‘It was an old version of ProtectorSuite tested over half a year ago that held account passwords protected with fingerprint protection in the registry.’ The problem as far as I know is fixed in recent updates,” Dietz wrote to Naked Security in an email.
Elcomsoft has not provided any more details to Authentec, but the company says that it will do a “thorough analysis on anything we may receive from Olga or the Elcomsoft team.”
Dietz said that ProtectorSuite uses AES encryption to protect stored passwords and that the company would never leave passwords in an unencrypted state in its software – past or present. Should the company find evidence to support Elcomsoft’s claims, it will push a patch to customers immediately, Dietz wrote.
If Elcomsoft’s claims hold up, it could pose a serious problem for organizations that rely on the fingerprint scanners for access to laptop and desktop systems. The UPEK scanners and Protector Suite software are sold to a long list of PC makers, so the damage of any hardware or software vulnerability isn’t limited to a particular hardware maker.
Elcomsoft, based in Moscow, Russia, makes a range of enterprise security products including a wireless security auditor, password recovery tool and a forensic toolkit for devices running Apple’s iOS software.
The company has been a gadfly to prominent firms before.
Notably it revealed tools for cracking passwords on both RIM Blackberry and iPhone devices. In 2001, it was also party to a high profile criminal case, brought by the U.S. Department of Justice, that alleged the company and its employees violated the U.S. Digital Millennium Copyright Act when it produced software that cracked Adobe Systems’ e-book file format.
An Elcomsoft employee and Russian citizen, Dmitry Sklyarov, was arrested and detained in the U.S. in that case – which was controversial because creation of the tool in Russia was not a crime.
Fingerpint scanning image from Shutterstock.
Hey, I thought that guys from "Mythbusters" have buried these things already.
They just proved that the scanners can be bypassed in a number of ways by using "lifted" prints.
I always figured a computer keyboard was the best place to lift a print from however, so it's really like leaving your password all over the device you're trying to protect (assuming the attacker has gummi bears or a good supply of acetate and miscellaneous other "secret" materials).
If Authentec is going to deny these claims then Elcomsoft needs to release instructions on how to check your registry and see if you're affected. Lenovo isn't using ProtectorSuit on laptops from 2011 (possibly onward, but pure speculation), but it would be interested to see if there is a separate tool that might be doing the same.
The following statements stand out:
'Authentec, said that his company can’t find any evidence to support those claims, and that conversations with Koksharova suggest that Elcomsoft's warning may be overblown.'
'The post provided few details, and Koksharova saying that Elcomsoft is withholding details of the vulnerability "in the interests of public responsibility." '
'Elcomsoft has not provided any more details to Authentec, but the company says that it will do a "thorough analysis on anything we may receive from Olga or the Elcomsoft team." '
The claims don't really hold up, do they? Where's the evidence?
Come on Brent, do you really want them to release a public exploit tool for it?
If the passwords are encrypted with AES, then the key needs to be stored somewhere.
Either they can generated it directly from the fingerprint, or it's stored somewhere in the installation of the product.
As far as I know, finger-prints are suitable to generate a key from – they are compared against a database with some fuzziness?
So the key must be stored in the installation?
I which case an attacker can just read the disk for the key?
DO NOT TRUST Elcomsoft, is my informed opinion. They are not a 'security' firm but rather an INSECURITY firm. They make their money selling software designed to access otherwise 'secured' data and information. Just look at their 'products' at http://www.elcomsoft.com/products.html and you will see they freely sell software intended to both recover 'forgotten' passwords and to break passwords and other mean of securing your systems. They even sell 'forensic' software suites to assist in 'breaking into' systems that are meant to be secure!
(A relative was head-hunted by them but refused to work for them as it would have nullified his high security rating!)
" They make their money selling software designed to access otherwise 'secured' data and information."
If they are putting out this software to access the "secured" data then obviously it was not all that secure….
Seems to me you placing the blame in the wrong place, don't attack a company for picking the lock blame the lock maker for selling you a sorry lock.
Also, just because a locksmith can give you a key to a competitors lock does not mean his locks are poor quality. In fact that would make me think a bit more of his locks as he has shown mastery of how locks work.
Not saying you should necessarily just blindly trust Elcomsoft. Just that it would be wise to really step back and think about things a bit more clearly.
Elcomsoft do not appear reputable, this is quite likely linked to extortion attempts.