Fingerprint reader reveals passwords
The flaw is present in the UPEK Protector Suite, which is the piece of software that interfaces the company's scanner hardware with Windows. This software was apparently pre-installed on a wide range of laptops which included UPEK devices. According to a list on the manufacturer's web site, which has since been deleted, different variants of the UPEK readers are used in laptops from most major manufacturers, including Dell, Lenovo, ASUS, Acer, Samsung and Toshiba. Additionally, UPEK Protector Suite is also being sold as a stand-alone product.
The UPEK Protector Suite saves the user's password in the Windows registry when the fingerprint-based login functionality is activated. This is necessary so that the application can present Windows with the password for the user once a valid fingerprint is detected. The passwords are encrypted with the AES cypher, but the encryption has apparently been implemented incorrectly. According to ElcomSoft, the key is always the same and can be reconstructed. To demonstrate this, the ElcomSoft developers have provided The H's associates at heise Security with a tool that shows the first three characters of the passwords for all users on the system where the Protector Suite is installed and who have activated its Windows login functionality.
In cases where an attacker has physical access to a machine, they can gain access to a user's account even without this vulnerability, but they will not be able easily to get hold of the user's unencrypted password. The vulnerability in the UPEK software makes it trivial to retrieve the plain text passwords; this also gives access to encrypted data that uses the Encrypting File System (EFS) functionality built into Windows.
ElcomSoft recommends disabling the UPEK Protector Suite's login function which prevents passwords from being saved in the registry in an insecure manner. When heise Security tested this, however, doing so did not stop ElcomSoft's tool from being able to extract passwords of users who had used the UPEK software in the past. Even changing the Windows passwords of those users did not help. The only way to ensure the security hole is closed seems to be to uninstall the Protector Suite software.
Speaking to heise Security, representatives of AuthenTec acknowledged the problem and said that they are preparing a fixed version of the product which should be available for download before the end of this week. The new version is supposed to generate unique keys when encrypting the passwords.