back to article UPEK fingerprint scanners insecure, says Elcomsoft

Spines in laptop vendor-land are shivering right now with the news that fingerprint scanners from UPEK take users’ Windows passwords and dumps them in near-plain-text in the registry. The security howler was turned up in the UPEK Protector Suite, which until recently shipped with laptops using the company’s scanners. While the …

COMMENTS

This topic is closed for new posts.
  1. Comments are attributed to your handle
    Thumb Down

    Hold on there...

    Hardware access will result in an attacker getting to your files, period (unless you use TrueCrypt or similar, but let's assume that's not in play). Whether they use a Linux Live CD, rip out the HDD and boot it on another machine, or take advantage of this "vulnerability": it doesn't matter. You are owned.

    The problem with this article is its passing mention of "near-plain-text" and later statement that hardware access is required to exploit the vulnerability. What are we supposed to make of that?

    If it's truly near-plain-text, then a normal application should be able to read the registry entry, and we'd have a real problem (assuming someone can figure out how to get the plaintext). But the fact that hardware access is required makes me think it's not so simple. In fact, "near-plain-text" is starting to sound like "encrypted". So, does the fingerprint sensor decrypt the registry value and use it to log on?

    Lacking a more technical explanation, I don't really know what to make of this.

    1. Anonymous Coward
      Anonymous Coward

      Re: Hold on there...

      If you read the original article they don't say that physical access is required, only that that is the what they used to extract the encoded passwords. There is no indication that you couldn't achieve the same results by using a trojan or remote code execution vulnerability (in fact they say they have PoC code that they will give to journalists, which strongly suggests you only need to run a program rather than mess with hardware).

      1. Richard 12 Silver badge

        Re: Hold on there...

        It's in the Registry as a simple to unscramble key value.

        Programs don't need admin privileges to read an arbitrary Registry key, only to write one, so this is trivial to exploit the moment a miscreant gets any of their code running client-side.

        Really quite astoundingly bad for supposed "security" software.

        1. Anonymous Coward
          Anonymous Coward

          Re: Hold on there...

          "...Programs don't need admin privileges to read an arbitrary Registry key, only to write one..."

          The Registry is fully ACLed, you can let any user or none have any level of access you want to any single Registry key. If this is implemented or not is another matter, but in the days when the USB port wasn't that easily disabled, the company I worked for had a usb_denied global group, which was set to have no access to a couple of registry keys, which prevented any USB storage being mounted.

          1. Bronek Kozicki

            Re: Registry is ACLed, but ...

            ... how can the software get your password, to log you in (based on your fingerprint), if you have not authenticated yourself yet? Tricky. Although better scheme should be thought of.

            1. Anonymous Coward
              Anonymous Coward

              Re: Registry is ACLed, but ...

              I'm not sure how this particular software works, but I would imagine that the user's fingerprint "password" is not stored in the user's section of the registry, as this would only be loaded after successful authentication. I suspect that the gina (logon/session controller) is running the software and has access to a section of the registry which is used to store this information, or in a distributed system talks back to a domain controller, running a server portion of the software.

    2. dajames
      Boffin

      Re: Hold on there...

      Lacking a more technical explanation, I don't really know what to make of this.

      Windows security has traditionally depended on passwords. What UPEK's software apparently does is to identify a user by his fingerprint, and then look up the (lightly scrambled) password in the registry in order to use it to log in. Having logged in the user is then able to use the PC and to connect to other computers in Windows domains, etc., as though he'd logged in with a password.

      Note that if you have physical access to someone's PC then you can whip the hard drive out and read it on another PC to get to their data ... but if they have used the Windows Encrypted File System to protect their data you will need their password in order to gain access to their keys and decrypt their data. This is the real weakness that is created by UPEK's folly.

      Windows 7 has a new chunk of functionality called the Windows Biometric Framework which is supposed to make it possible to use a biometric instead of a password to authenticate a user to Windows, but that isn't present in Vista or XP, and the kludgey thing with the stored password is an easy alternative.

      1. mechBgon
        Alert

        Re: Hold on there...

        To be more succinct, in that scenario, the attacker needs the user's encryption certificate that was used to encrypt the EFS-protected files. And that certificate is unique to that user account, and will be invalid if the account's password is forcibly changed.

        So let's say I find your lost laptop, start it in Safe Mode, log in as the system's built-in Administrator (blank password by default), and change your user account's password to something I know. Now I can log on as you, but I've lost access to your EFS-protected files forever, because I changed your password from another account.

        This is where the attacker would see "OH, it has a fingerprint scanner... let me try that no-brainer UPEK workaround I read about," and could then access your password, log in as you, and have the keys to the kingdom including your encrypted files.

        I have a half-dozen systems using the affected software myself. I'm not lying awake at night about this, but I look forward to a fix in due course.

      2. Bronek Kozicki

        RE: Windows Biometric Framework

        quite useful stuff, sadly it prevents biometric login on Administrator account. Which is why I don't use it, and use "legacy" drivers and software instead (on Windows 7). Before howlers start: I'm speaking about home machine here, with one actual person enrolled to use biometric login on Administrator (me) and few actual users.

  2. Christian Berger

    Don't rely on fingerprint scanners for anything usefull

    1. Fingerprint scanners work by transmitting the secret (your fingerprint) from your finger to the computer. So from that perspective it's as secure as a password.

    2. It's a lot harder to keep your fingerprints secret than keeping your password. If you are not careful you will in fact ending up with your fingerprints all over your computer.

    3. Even if UPEK would have wanted to encrypt the password securely, they couldn't have done it. They need to be able to decrypt it, and for that they have the key somewhere. Now with a password, you can simply derive the key from the password. With fingerprints you have fairly fuzzy data. It's probably not possible to derive keys from that.

  3. Anonymous Coward
    Anonymous Coward

    Copying fingerprints

    I have a working exploit for this which uses a blue laser diode, pair of sleds and a piece of "heat it up" heatshrink film cut to the appropriate size and once printed curved over a false finger.

    Works with 90% of commercial scanners and with a simple modification should do the rest.

    CERN were scared sh*tless enough by that email back in 2010 to add "live finger detection" via pulse oximeter.

    AC/DC 6EQUJ5

    1. Christian Berger

      Re: Copying fingerprints

      Live finger detection won't help against prosthetics.

      https://www.youtube.com/watch?v=OPtzRQNHzl0

      Particulary since in that case you could simply use a modified mouse.

  4. Anonymous Coward
    Anonymous Coward

    In fact

    It measures both differential induction using a capacitative foot plate and the pulse rate.

    If both don't match the fingerprint(s) of the person attempting to gain access... Computer says NYET!

    (insert klaxons and large security guards armed with Tasers and extreme prejudice "conventional" firarms here)

    AC/DC

This topic is closed for new posts.

Other stories you might like