AuthenTec, the security firm that's the target of an $356m acquisition by Apple, has denied reports that possible cryptographic weaknesses in its fingerprint scanner software pose a risk to the security of laptops. Apple's attempted slurp of the fingerprint-scanning firm, which also makes other security products, was announced …
12 million fingerprint scans and usernames found on FBI laptop.
It is a fair point that if you need either physical or admin-level access to perform an exploit then there is no exploit. (I'll let others argue over whether that is the case here.)
Re: Physical Access
I think an important case is being overlooked here: EFS-encrypted files. If an attacker has the laptop in their posession, they need the user's password in order to log in as that user and see that user's EFS-encrypted files. If the attacker changes the account's password from a different account, those EFS-encrypted files can no longer be opened, since the certificate went *POOF* when the password was changed from "outside" the account. For example, starting the system in Safe Mode and using the built-in Administrator account to reset or remove the user's password would permanently lock down that user's EFS-protected files.
But if an attacker can exploit AuthenTec's feeble encryption, they can get the user's password, log in as that user, and access that user's EFS-encrypted stuff. If you don't use EFS, then no harm, no foul. If you do, there's probably a good reason for doing so, and you don't want to be leaving easy workarounds laying about.
I know of at least one large company that generally grants admin-level rights to developers to their own machine so they can do their job. Since this now allows them to read the password of anyone else who has enabled finger-print login on what is possibly a shared machine, which in-turn may actually be a domain login with access to pretty much any machine in the company, I'd say this is definitely an exploit albeit a rather obscure one.
It depends how smart the company have been with giving "admin" access, I have worked for several companies where you can get "admin" access, but actually it's still pretty well locked down. You can easily have a group granting a high level of access which also prevents certain key changes being made, typically these would include locking off areas of the registry, preventing uninstall of certain software or preventing cancellation of updates being distributed.
That's not to say that the method for entering the password (registry lookup of the real password) isn't rather silly, but the ACLs could lock this area of the registry off from everything except the ID under which GINA runs.
If you have administrator access
Then presumably you can install keylogger software and obtain the passwords of anyone who logs in to it after that date. Not only for the PC, but any other site they login to, see the emails they send others even if they were sent encrypted, and so on. Yes, I know, in domains there is local Administator versus domain Administrator and you can lock down what local Administrator can do - but if it's possible to prevent them from installing drivers (i.e. keyloggers) then I'd expect you could also prevent them from reading the file that the fingerprint reader software keeps its encrypted passwords in?
If someone has physical access or administrator/root access to a computer, then you really shouldn't worry about there being some sort of potential attack on an encrypted file that stores passwords, because they can easily steal those passwords directly without needing to attack anything.
It sounds like Windows should provide a better way for stuff like fingerprint readers to hook into the OS and validate logins, as saving passwords (no matter how encrypted) seems like a really braindead way of doing it...
"I know of at least one large company that generally grants admin-level rights to developers to their own machine so they can do their job."
They are idiots, then.
Developers of device drivers or software installers need admin access to the test machines that they use. Those test machines can be isolated from the rest of the company network. Developers don't need (*) admin access to the machines they use for email, surfing or their development tools.
(* I'd go further and say they should not have them. If you give developers admin rights to *every* machine they touch then they are never personally bitten by software that needs admin rights for *something* minor but critical. Microsoft learned this lesson the hard way, eventually. The early versions of NT (1990-ish) should have introduced the new culture but 10-15 years later they were still producing compilers and Office software that failed in obscure ways if you didn't have admin rights. I think they've been fairly well-behaved since about 2005.)