UPEK Fingerprint Reader Software Puts Windows Passwords At Risk

colinneagle writes with this excerpt from Network World: "If your password management system is to use your 'fingerprint as your master password,' and if your laptop uses UPEK software, then you'll not be happy to know your Windows password is not secure and instead is easily crackable. In fact, 'UPEK's implementation is nothing but a big, glowing security hole compromising (and effectively destroying) the entire security model of Windows accounts.' On the Elcomsoft blog about 'advanced password cracking insight,' Olga Koksharova had bad news for people who thought they were more secure by using biometrics, a UPEK fingerprint reader, instead of relying on a password. UPEK stores Windows account passwords in the registry 'almost in plain text, barely scrambled but not encrypted.' It's not just a few that are susceptible to hacking. 'All laptops equipped with UPEK fingerprint readers and running UPEK Protector Suite are susceptible. If you ever registered your fingerprints with UPEK Protector Suite for accelerated Windows login and typed your account password there, you are at risk.'"

How is this a surprise...

[schaiba]

...I don't really know.

More Checklist Security

[fm6]

Remember that Simpsons ep where Smithers and Burns have to enter their top secret command post? They pass through a dozen high-tech security portals worthy of a James Bond movie to get there. Unexplained is why they didn't just use the other entrance, which consists of a broken screen door.

Then there's the ISP I used to work for that advertises "Biometric security access". What is means is that a server room in an office building has a lock that can be opened by employee fingerprint. Of course, it can also be opened by an ordinary key, which is what building security uses.

People buy security tech, and they think they've solved a security problem. Once again I quote Bruce Schneier: security is a process, not a product.

Never rely on a single authentication method.

[QilessQi]

The best authentication has three components:

1. Something you know (such as a passphrase), plus...
2. Something you own (such as the ID number from a FOB which rotates IDs every minute), plus...
3. Something you are (biometrics).

You don't use biometrics *instead* of the passphrase or FOB; you use it to augment the effectiveness of those techniques.

It's not a security device

[joeflies]

All consumer biometric devices should not be considered "security" devices, but rather "convenience" devices. It makes it easier to log in than typinig a password, and it's more convenient than using an OTP on the desktop. But it's not secure as a password because the password store is on the computer.

As far as password lockers go, I'm inclined to trust a password store encrypted by a passphrase (like lastpass) rather than a biometric. That's because with a passphrase, you can have a very precise method of unlocking the password store. The passphrase itself vouches for you and is repeatable. A biometric scan may vouch for you, but the values it returns are not a key. Some other key is used to decrypt the password store. And that "some other key" is open to the whims of how it's implemented by the device maker.

One caveat, on the security scale, commercial biometric devices are a different animal altogether

Well that is much simpler than I thought

[AlienSexist]

I always figured that the digital representation of your fingerprint would be extracted and copied. With that copy a number of options could be possible. Perhaps the scan can be bypassed entirely and the biometric computer fed the digital copy. Or perhaps the copy can be used with the reverse-algorithm from the reverse-engineered reader to produce a fingerprint that will have the same "hash value" even if it is not exactly like the owner's. Any one of these "solution" fingerprints could be printed onto paper or some material that would allow proper scanning as a normal finger.

Let us not forget the rumored "gummy bear" attack [washjeff.edu] on biometric readers in the past [theregister.co.uk].

But no, I guess it is far ,far easier to just read the users password out of the registry from where the biometric system wrote it.

Missing the point

[Rich0]

The summary states that the passwords are scrambled but not encrypted. I fail to see the distinction. If I take a word and reverse it, that is a form of encryption. Sure, it is a very weak form, but it is.

And if you're going to just store the session key in the registry then it doesn't matter if they're using AES with a 5000-bit key.

If they used strong encryption on the password database, and then used TPM to store the session key, with a full trusted boot chain to the software needed to obtain the keys, then that would be pretty strong. However, I don't know that enough of Palladium was ever implemented to make this practical. Full-disk encryption software tends to work this way, but that runs before the bootloader, so it only needs the boot chain to be secure up to that point.

Re:Never rely on a single authentication method.

[tringstad]

Biometrics are not and should not be used for authentication at all, they fall under the category of identification.

Good article on the differences between Identification, Authentication, and Authorization here:

http://technet.microsoft.com/en-us/library/cc512578.aspx [microsoft.com]

There is even a section which addresses biometrics specifically.

Re:Is it really secure anyways?

[jedwidz]

That's about the same as my success rate after I registered my fingerprints.

It was faster to just put my gloves on and then type my password.