Forgot your password?
typodupeerror
Security Windows Technology

UPEK Fingerprint Reader Software Puts Windows Passwords At Risk 122

Posted by timothy
from the does-that-not-fit-in-with-your-plans? dept.
colinneagle writes with this excerpt from Network World: "If your password management system is to use your 'fingerprint as your master password,' and if your laptop uses UPEK software, then you'll not be happy to know your Windows password is not secure and instead is easily crackable. In fact, 'UPEK's implementation is nothing but a big, glowing security hole compromising (and effectively destroying) the entire security model of Windows accounts.' On the Elcomsoft blog about 'advanced password cracking insight,' Olga Koksharova had bad news for people who thought they were more secure by using biometrics, a UPEK fingerprint reader, instead of relying on a password. UPEK stores Windows account passwords in the registry 'almost in plain text, barely scrambled but not encrypted.' It's not just a few that are susceptible to hacking. 'All laptops equipped with UPEK fingerprint readers and running UPEK Protector Suite are susceptible. If you ever registered your fingerprints with UPEK Protector Suite for accelerated Windows login and typed your account password there, you are at risk.'"
This discussion has been archived. No new comments can be posted.

UPEK Fingerprint Reader Software Puts Windows Passwords At Risk

Comments Filter:
  • by schaiba (2708709) on Thursday September 06, 2012 @03:45PM (#41252585)
    ...I don't really know.
    • ...I don't really know.

      You're modded -1, but your post is completely accurate.
      What did people think the software was doing? Generating a key based on your fingerprint that stays the same every time you scan it and then using that key to decrypt passwords that are properly encrypted? As if!

    • Exactly. Even if they had implemented it well, within the security community, the concept is thoroughly discredited.

      The primary attribute of a user id is that it be unique.

      The primary attribute of a password is that it be secret.

      Biometrics are (theoretically) unique, but not secret. They make brilliant uids, lousy passwords.

      Re-using uids as passwords is lazy/criminal.

  • Criminals have stopped chopping off right index fingers. More news at 11

  • No surprise (Score:5, Interesting)

    by Anonymous Coward on Thursday September 06, 2012 @03:52PM (#41252661)

    Using fingerprint data as an decryption key is very hard as the information is quite noisy. However, an decryption key is still needed to fetch the password (which, in turn, is needed for example to access encrypted files). Without a secure boot infrastructure a TPM doesn't help, so that leaves only the possibility of storing the key on-disk. Once the key is located, obtaining the password is trival so it doesn't really matter whether strong encryption is used.

    This means that probably all fingerprint scanner software suffers from this flaw.

    • Re:No surprise (Score:4, Interesting)

      by bluefoxlucid (723572) on Thursday September 06, 2012 @04:12PM (#41252927) Journal
      Basically if the fingerprint scanner integrated with Windows Login the same way as third party login systems like Novel Networks et al, it wouldn't need your password until you tried to access an encrypted file. The flaw here is they hack it out by sending your password to Windows; fingerprint data is too noisy, you compare it as "sufficiently similar" but it's going to be too unique to generate a key from with any repeatability and high entropy. Thus they store the key UUENCODED or BASE64 or MIME to obscure it, which doesn't work on hackers. Instead, they should hook the login process and directly complete user authentication without a password, and let windows ask for a password if it tries to touch an EFS file.
      • Basically if the fingerprint scanner integrated with Windows Login the same way as third party login systems like Novel Networks et al, it wouldn't need your password until you tried to access an encrypted file. The flaw here is they hack it out by sending your password to Windows; fingerprint data is too noisy, you compare it as "sufficiently similar" but it's going to be too unique to generate a key from with any repeatability and high entropy. Thus they store the key UUENCODED or BASE64 or MIME to obscure it, which doesn't work on hackers. Instead, they should hook the login process and directly complete user authentication without a password, and let windows ask for a password if it tries to touch an EFS file.

        That wouldn't really work either. What they need to do is store the password in a system encrypted file using the Windows encryption and a per-system negotiated key to access it - perhaps one that uses TPM. Or better yet, assign a specific user (configurable which) that is created for the sole purpose of managing the keys and passwords. The software gets your fingerprint, and then logs in as that user in the background (perhaps using a service) to retrieve the relevant data.

        And, of course, if the wrote t

        • by KGIII (973947)

          If I had initiative I'd start a company having to do with GINA in Virginia and make a unique business name. Yes, yes I am three and have no real point other than that.

        • The software gets your fingerprint, and then logs in as that user in the background (perhaps using a service) to retrieve the relevant data.

          So all you need to do is get the password or token that the software uses to login to that other account and you've got access to all passwords?

          • The software gets your fingerprint, and then logs in as that user in the background (perhaps using a service) to retrieve the relevant data.

            So all you need to do is get the password or token that the software uses to login to that other account and you've got access to all passwords?

            There will always be a weakness. The point is to make it as hard or as difficult as possible to get to - one reason why that should not really be something that each vendor does, but rather an API that Microsoft provides.

            • Except that with the NTLM2 hashes, you can't use the hash to get the password and thus can't use the password to decrypt EFS files. With the system you described, I can boot a Linux LiveCD and copy out all the passwords for all accounts, and then log into anything directly and decrypt any encrypted files I want.
              • Except that with the NTLM2 hashes, you can't use the hash to get the password and thus can't use the password to decrypt EFS files. With the system you described, I can boot a Linux LiveCD and copy out all the passwords for all accounts, and then log into anything directly and decrypt any encrypted files I want.

                FYI - there is a hack for Windows that lets you mount a Windows NTFS file system, and generate a password that is close enough to generate the same hash value. Using a Windows Domain doesn't solve the issue either as the local machine retains a copy (on disk) for authentication when not connected to a network the domain is accessible from. And all the disk encryption softare also stores caches for verification unless you do not use your Windows Credentials for authenticating to the encryption software (in w

                • Uh, no. Maybe with rainbow tables calculated ahead of time, but the hashes are MD4 and not really easily cracked. On the other hand, the actual password used is needed to generate the encryption key for EFS--an MD4 collision isn't "close enough". Physical access always gets you authentication, but it won't get you the actual password (you can't use what you get to log into other accounts with the same password--ie bank accounts) and it won't get you encryption keys.
    • by Anonymous Coward

      Secure boot has no relevance at all.

      This situation is the same for ANY biometric login method. The actual password has to be stored for decryption.

      • by Rich0 (548339)

        Actually it is quite relevant. Just search for examples of using TPM, linux, and trusted Grub to store passwords that can only be retrieved if you boot via the same boot chain. All that Palladium stuff that started the whole treacherous computing buzz years ago was fully implemented in hardware and BIOS - it is only Windows that doesn't generally support it.

        If you boot into an OS that supports it, you can store keys in a TPM hardware vault that can only be retrieved if the software that stored them is run

    • Re:No surprise (Score:4, Informative)

      by cryptizard (2629853) on Thursday September 06, 2012 @07:01PM (#41254639) Homepage
      There is actually some new research into exactly this problem. Using what they call "fuzzy extractors" you can derive a secure key from noisy information. Really cool, check it out http://www.cs.bu.edu/~reyzin/fuzzy.html [bu.edu]
    • So basically if you entered the windows password you were unsafe. The fingerprint itself was safe it was if you had a windows password entered you were insecure as mentioned "UPEK stores Windows account passwords in the registry "almost in plain text, barely scrambled but not encrypted." The fact that 16 major venders used this software kind scary. Some places just use bio metrics and no windows password in that case you would be safe.
  • by RobertLTux (260313) <robert@@@laurencemartin...org> on Thursday September 06, 2012 @03:56PM (#41252713)

    so how long has this been in use before somebody noticed the passwords were effectively PLAIN TEXT??

    folks this is about as smart as swimming near Amnity Island with an open wound on your ankle.

    I propose any kind of Silver Bullet be subjected to the Mitnick Test (throw it at a group of blackhats and then see how long it takes them to break it fix what you find and then pay them enough to keep quiet)

    • by gstoddart (321705) on Thursday September 06, 2012 @04:13PM (#41252959) Homepage

      so how long has this been in use before somebody noticed the passwords were effectively PLAIN TEXT??

      You know, this kind of stuff happens all of the time -- because people are lazy, under pressure from the boss, or just plain stupid.

      Several years ago, I was helping to install some software which was supposed to go onto the machine in the DMZ and reach back into the firewall to access a database.

      It turns out the software stored the admin password in cleartext in a registry key (zero attempts to obfuscate, let alone encrypt). I started shouting this quite loudly to anybody who would listen, and tried to explain why this was ludicrous.

      Eventually I got told it was a low risk, and that I should shut up. Sometimes, management overrules you on these things.

      Sadly, I'm betting someone brought this to someone's attention, and got told to STFU.

    • by dgatwood (11270)

      It's not the fact that it is plain text that concerns me. What concerns me is that it uses a password at all. I'm not personally familiar with how Windows does things, but if you were implementing this on OS X, you'd implement a custom authorization plug-in that would be queried for permission instead of using a password. I assume that this is just a case of the implementors of this particular fingerprint reader tool not knowing what they're doing.

      One of two things is true: either the device can reprodu

    • They're blackhats. They're not good honest citizens. They'll tell you some of the flaws they find so you give them money. They'll keep the others to extort more money out of you in the future. You know, like an investment.
      • hence you would be paying them enough to keep them happy (budget for the extortion in a way) and or get 3 groups that HATE each other to check each other (have a red blue and green team)

  • We were issued laptops with fingerprint biometrics in a science class a couple years ago. I swiped my finger on my friends laptop and it logged into his account for me. Hopefully, despite this new found security hole, they have come a long way since then. I haven't seen these used anywhere. Does anyone find fingerprint biometrics to be useful? Secure? Maybe it's really just to keep the honest people honest.
    • Re: (Score:2, Interesting)

      by Anonymous Coward

      I haven't seen these used anywhere. Does anyone find fingerprint biometrics to be useful?

      It is very useful to laptop salesmen and computer manufacturers as a selling point/gimmick for the clueless masses.

    • Where I work everyone wanted to use fingerprint scanners as the sole method of authentication. I argued for two factor if using fingerprints - either a password or smart card. They argued up and down how fingerprints were unique, and then I logged into 2 out of the 6 laptops in the meeting room using my unregistered fingerprints. The idea was quickly abandoned thereafter. I have since tried this on a number of the Dell laptops with fingerprint scanners here and have a roughly 15-20% chance one of my fingers
      • by jedwidz (1399015) on Thursday September 06, 2012 @09:21PM (#41255893)

        That's about the same as my success rate after I registered my fingerprints.

        It was faster to just put my gloves on and then type my password.

      • by Hadlock (143607)

        The Thinkpad fingerprint utility allows you to set high and low verification requirements. The high req requires me to swipe 2-3 times often before it will let me in.

        • by eam (192101)

          Still, why would you use an authentication system that relies on a password that is copied every time you touch something? You leave copies of your fingerprints everywhere. Heck, the majority of thinkpad users probably have a copy in the middle of their screen.

    • by DarkOx (621550)

      In general the error rate on the ones cheap enough to put on portable computers is to high to use a sole security device anyway, despite everyone and the brother pretending that they are. If you tune it for to favor type II errors, they can be secure but will be overly frustrating for the user, it will take many swipes most of the time before a good read and match. If it biases toward type Its most likely that if I line up a room full of random people one of them is going to have a finger that will work a

  • Not a surprise that it's vulnerable, but it is surprising how badly they stored the passwords.
  • by fm6 (162816) on Thursday September 06, 2012 @04:09PM (#41252875) Homepage Journal

    Remember that Simpsons ep where Smithers and Burns have to enter their top secret command post? They pass through a dozen high-tech security portals worthy of a James Bond movie to get there. Unexplained is why they didn't just use the other entrance, which consists of a broken screen door.

    Then there's the ISP I used to work for that advertises "Biometric security access". What is means is that a server room in an office building has a lock that can be opened by employee fingerprint. Of course, it can also be opened by an ordinary key, which is what building security uses.

    People buy security tech, and they think they've solved a security problem. Once again I quote Bruce Schneier: security is a process, not a product.

  • by QilessQi (2044624) on Thursday September 06, 2012 @04:13PM (#41252953)

    The best authentication has three components:

    1. Something you know (such as a passphrase), plus...
    2. Something you own (such as the ID number from a FOB which rotates IDs every minute), plus...
    3. Something you are (biometrics).

    You don't use biometrics *instead* of the passphrase or FOB; you use it to augment the effectiveness of those techniques.

    • by bondsbw (888959)

      I disagree. Biometrics can pose a safety and security risk when used to secure very important data. It is often as easy or easier to detach a finger or an eyeball than it is to remove knowledge from someone's brain. And detaching fingers and eyeballs tend to be permanent solutions.

      • by QilessQi (2044624)

        I think we're on the same page, but talking about two entirely different things. I agree that in James Bond scenarios, biometrics might pose a risk to the owner, but I'm talking about why you don't use biometrics by themselves. The article starts with this:

        If your password management system is to use your "fingerprint as your master password," and if your laptop uses UPEK software, then you'll not be happy to know your Windows password is not secure and instead is easily crackable.

        Absolutely. Using biome

    • by tringstad (168599) on Thursday September 06, 2012 @04:50PM (#41253393)

      Biometrics are not and should not be used for authentication at all, they fall under the category of identification.

      Good article on the differences between Identification, Authentication, and Authorization here:

      http://technet.microsoft.com/en-us/library/cc512578.aspx [microsoft.com]

      There is even a section which addresses biometrics specifically.

      • by QilessQi (2044624)

        Wow, that's an interesting perspective. For any tl;dr folks out there, the summary boils it down nicely:

        * Identification: who are you?
        * Authentication: how can you prove it?
        * Authorization: what can you do?

        However, if biometrics are used to back up the assertion of the username in a supplied username/password combo (in 2-factor authentication), they feel a little more like authentication than identification to me. But I see your point, and mod you Informative with my imaginary mod points.

        • by tringstad (168599)

          if biometrics are used to back up the assertion of the username ...

          Biometrics is intended to replace the username, not "back it up".

          ... in a supplied username/password combo (in 2-factor authentication) ...

          Username/password combinations are NOT 2-factor authentication. 2-factor authentication is more along the line of the OP's first two examples of something you have plus something you know. For instance, my gmail account is secured using Google's 2-factor implementation and my smartphone:

          http://googleblog.blogspot.com/2011/02/advanced-sign-in-security-for-your.html [blogspot.com]

          ... they feel a little more like authentication than identification to me.

          Hopefully this is no longer the case.

        • by tringstad (168599)

          And I just realized that you ARE the OP.

          Imaginary mod points back at ya.

    • by JimBobJoe (2758)

      The best authentication has three components:

      This is an old mantra that I don't think is believed anymore (except by companies that sell biometric systems of course. :)

      Numbers 2 and 3 are essentially the same...they are both something you have. The idea that number 3 is somehow different from number 2 stems from the assumption that biometrics does something special, like it's uncopyable. It's not magical though and it really is just something you have.

    • by Anonymous Coward

      Biometrics cannot be used for authentication without a security guard who pays attention that you are not trying to bypass the biometrics scanner.

      Biometric authentication is extremely easy to bypass:
      1. fooling the scanner directly, using a printed fingerprint, or a face mask, a picture of an iris. It is possible to make scanner that are better, but that also increases false negatives, so most scanners are simple. Still they can be fooled.
      2. recording the output of the scanner, simply play it back.

      So for poi

  • by joeflies (529536) on Thursday September 06, 2012 @04:20PM (#41253031)

    All consumer biometric devices should not be considered "security" devices, but rather "convenience" devices. It makes it easier to log in than typinig a password, and it's more convenient than using an OTP on the desktop. But it's not secure as a password because the password store is on the computer.

    As far as password lockers go, I'm inclined to trust a password store encrypted by a passphrase (like lastpass) rather than a biometric. That's because with a passphrase, you can have a very precise method of unlocking the password store. The passphrase itself vouches for you and is repeatable. A biometric scan may vouch for you, but the values it returns are not a key. Some other key is used to decrypt the password store. And that "some other key" is open to the whims of how it's implemented by the device maker.

    One caveat, on the security scale, commercial biometric devices are a different animal altogether

  • What i don't understand is why in Avengers Loki used a device to actually break skin/eyeball to relay an eye scan remotely. it seems needlessly cruel. The little device could have easily taken a scan and sent the information instead of cutting into the guy's face. Was the guy going to have to give up an eye if he himself ever needed to get at the iridium?
    • by Dr Fro (169927)

      I think Loki just wanted to cut into a guy's face? He didn't seem like a very friendly fellow in the movie...

  • No one will ever figure out how to "decrypt" it.

  • Psssshaw. My voice is my password.

  • by AlienSexist (686923) on Thursday September 06, 2012 @04:27PM (#41253123)
    I always figured that the digital representation of your fingerprint would be extracted and copied. With that copy a number of options could be possible. Perhaps the scan can be bypassed entirely and the biometric computer fed the digital copy. Or perhaps the copy can be used with the reverse-algorithm from the reverse-engineered reader to produce a fingerprint that will have the same "hash value" even if it is not exactly like the owner's. Any one of these "solution" fingerprints could be printed onto paper or some material that would allow proper scanning as a normal finger.

    Let us not forget the rumored "gummy bear" attack [washjeff.edu] on biometric readers in the past [theregister.co.uk].

    But no, I guess it is far ,far easier to just read the users password out of the registry from where the biometric system wrote it.
  • by whoever57 (658626) on Thursday September 06, 2012 @04:29PM (#41253143) Journal

    Under recent versions of Windows, services can be configured to "log on" as a particular user in order to run. This requires the password to be entered.

    If the user's password is later changed, the services will not run, because the "log on" fails. This implies that the password is being stored (perhaps encrypted) somewhere in a fashion that the password can be recovered (in order to be used by the service to "log on").

    If the OS can recover the user's password to log on a service, then other programs should also be able to recover the password.

    Have I misunderstood what is happening to the user login, or is it another hole?

  • Missing the point (Score:4, Insightful)

    by Rich0 (548339) on Thursday September 06, 2012 @04:45PM (#41253333) Homepage

    The summary states that the passwords are scrambled but not encrypted. I fail to see the distinction. If I take a word and reverse it, that is a form of encryption. Sure, it is a very weak form, but it is.

    And if you're going to just store the session key in the registry then it doesn't matter if they're using AES with a 5000-bit key.

    If they used strong encryption on the password database, and then used TPM to store the session key, with a full trusted boot chain to the software needed to obtain the keys, then that would be pretty strong. However, I don't know that enough of Palladium was ever implemented to make this practical. Full-disk encryption software tends to work this way, but that runs before the bootloader, so it only needs the boot chain to be secure up to that point.

    • by Anonymous Coward

      The summary states that the passwords are scrambled but not encrypted. I fail to see the distinction.

      No, if you take a word and reverse it that is not a form of encryption. It's a form of encipherment.
      Enciphering something is the process of applying a calculation or formula to it to obfuscate it.
      Encrypting uses a secret key - in security systems a unique one - in order to make it computationally impossible to retrieve the original data without the secret key.

      • by Rich0 (548339)

        I don't think the terms are used quite so consistently as you suggest.

        Block ciphers use keys. And when looking up the definition of encrypt in a dictionary the first definition was "to put into code or cipher."

        Clasically ciphers and codes have tended to be distinguished on whether they operate at the level of meaning (usually words) or syntax (usually characters).

  • Can anyone tell me which registry entries I should check for? I'd like to verify that uninstalling the software has removed my "barely scrambled" password from the registry.

  • I don't see on a modern laptop why UPEK would even be installed in the first place. If a laptop has a fingerprint scanner, Windows 7 or even Vista will find it and have a native process in place to enroll fingerprints and attach that as a credential to logging in.

    I don't know how secure W7 stores that info, but I'm pretty sure it wouldn't be something trivial to decode. Add a TPM chip and BitLocker [1] to the mix, and the fingerprint database is definitely well protected against intrusion.

    [1]: If you are

Our business in life is not to succeed but to continue to fail in high spirits. -- Robert Louis Stevenson

Working...