Jonathan Claudius found that users’ ‘password hints’ can be easily extracted from the Registry. Now Elcomsoft reports that with the UPEK Protector Suite installed (which manages the fingerprint reader) “we found that your Windows account passwords are stored in Windows registry almost in plain text, barely scrambled but not encrypted.”
UPEK was bought by AuthenTec which is now being acquired by Apple. AuthenTec now uses different software, says Elcomsoft. But a few years ago, UPEK dominated the market. Statistically, if you have a laptop that is a couple of years old and has a fingerprint scanner, it is quite likely that it is a UPEK system; and quite possibly still operating with the UPEK Protector Suite.
Fingerprint biometric authentication is sold on the basis that it combines ease of use with increased security. With the UPEK system, extra security is sold on the basis of the inviolability of fingerprints. Ease of use comes from simply ‘swiping’ a finger across the reader. Instant access comes by caching the passwords.
But those passwords are stored unencrypted in the Registry. “Having physical access to a laptop running UPEK Protector Suite, we could extract passwords to all user accounts with fingerprint-enabled logon,” says Elcomsoft. “UPEK Protector Suite simply stores the original password to Windows account, making it possible for an intruder to obtain one.”
The problem is widespread. “It is not limited to a certain laptop model or manufacturer,” says Elcomsoft. “All laptops equipped with UPEK fingerprint readers and running UPEK Protector Suite are susceptible. If you ever registered your fingerprints with UPEK Protector Suite for accelerated Windows logon and typed your account password there, you are at risk.”
The solution, it says, is to launch the UPEK Protector Suite and disable the Windows logon feature. “That should clear the stored password for your account.”