Spines in laptop vendor-land are shivering right now with the news that fingerprint scanners from UPEK take users’ Windows passwords and dumps them in near-plain-text in the registry.
The security howler was turned up in the UPEK Protector Suite, which until recently shipped with laptops using the company’s scanners. While the software was replaced following the merger of UPEK and Authentec, Elcomsoft’s post notes that most users will not have installed the new software.
“UPEK’s implementation is nothing but a big, glowing security hole compromising (and effectively destroying) the entire security model of Windows accounts,” wrote Elcomsoft’s Olga Koksharova.
“Windows itself never stores account passwords unless you enable “automatic login”, which is discouraged by Microsoft,” she wrote, however: “After analyzing a number of laptops equipped with UPEK fingerprint readers and running UPEK Protector Suite, we found that your Windows account passwords are stored in Windows registry almost in plain text, barely scrambled but not encrypted.”
Elcomsoft identifies Dell, Acer, ASUS, Gateway, Lenovo, MSI, Samsung, Sony, NEC, Toshiba and others as current or former UPEK customers. Lenovo says in a support forum post that it is investigating the issue; The Register’s searches of the other vendors’ sites doesn’t turn up any other responses as yet.
There are two requirements for the vulnerability to be exploited: the user has to be using the fingerprint scanner as their default Windows login, and an attacker would need physical access to the machine. Elcomsoft recommends that users disable “Windows login” in the UPEK Protector Suite. ®