Fingerprint-Reader Flaw Leaves Laptops Less Secure
That fingerprint reader on your laptop may actually make it less secure, two teams of security researchers have independently discovered.
UPEK ProtectorSuite software, installed on laptops made by Asus, Dell, Gateway, Lenovo, Samsung, Sony and Toshiba, among others, scans and saves the user's fingerprint for two-factor authentication.
Or at least the software appears to be using two factors. In fact, the fingerprint-reading software simply copies the regular user password into the Windows Registry, then refers to that stored password whenever a user wants to log in.
The password is saved in a lightly encrypted format that's easy to decipher. (Windows itself saves passwords elsewhere, in an encrypted file that can't be accessed while Windows is running.)
"We found out UPEK makes Windows login anything but secure," wrote Olga Koksharova of Russian password-testing firm ElcomSoft in a blog posting in late August. "In fact, the UPEK's implementation is nothing but a big, glowing security hole compromising (and effectively destroying) the entire security model of Windows accounts."
Trail of breadcrumbs
ElcomSoft would not disclose exactly how and where the poorly encrypted password was stored by ProtectorSuite, but two American researchers working separately from the Russian company have duplicated ElcomSoft's results and posted them online.
"The data is stored in the following location (varies by version): HKEY_LOCAL_MACHINE\SOFTWARE\Virtual Token\Passport\4.0\Passport\<user>\ExData," wrote Virginia-based researcher Adam Caudill on his blog Sunday (Oct. 7).
"Unfortunately, when storing data in the registry, they aren't using a password — so the outcome is based purely on an MD5 hash that they are using as a 'seed' value," Caudill explained. "This means that the key used is always the same. Better: the key is only 56 bits."
This'll be a cinch
TechNewsDaily wasn't able to discover a corresponding file in the Windows Registry of a Dell laptop with UPEK ProtectorSuite installed, but that may have been due to a software-version difference.
In any case, readers of TechNewsDaily may remember the LinkedIn and eHarmony data breaches from earlier this year, in which millions of account passwords for the two sites were dumped into hacker forums.
The LinkedIn and eHarmony passwords were encrypted, but to such a light degree that hackers and researchers could easily decipher them. The UPEK ProtectorSuite encryption appears to fall into the same category.
Caudill's colleague Brandon Wilson created a software tool to quickly decrypt the ProtectorSuite encryption and posted it online.
ProtectorSuite software has been discontinued by UPEK's parent company, Authentec, which has in turn been bought by Apple. But many recently made Windows laptops still use the software, according to ElcomSoft.
ElcomSoft and Caudill admitted that the scope of attacks using the ProtectorSuite password flaw would be limited, as attackers would need both administrative privileges and physical or local-network access to targeted machines.
"But since so many of these devices are used in corporate environments, it makes it easy to obtain domain credentials, and from there, easily expand an attack to other systems," Wilson told tech news site Ars Technica.