"All laptops equipped with UPEK fingerprint readers and running UPEK Protector Suite are susceptible", says Elcomsoft


Related Links

Top 5 Stories


More password problems from Windows Registry

29 August 2012

In an announcement that echoes the recent revelations about UserPasswordHint in the Windows Registry, a Russian security firm says passwords protected by a fingerprint swiping system are stored in the Registry in ‘nearly’ plain text.

Jonathan Claudius found that users’ ‘password hints’ can be easily extracted from the Registry. Now Elcomsoft reports that with the UPEK Protector Suite installed (which manages the fingerprint reader) “we found that your Windows account passwords are stored in Windows registry almost in plain text, barely scrambled but not encrypted.”

UPEK was bought by AuthenTec which is now being acquired by Apple. AuthenTec now uses different software, says Elcomsoft. But a few years ago, UPEK dominated the market. Statistically, if you have a laptop that is a couple of years old and has a fingerprint scanner, it is quite likely that it is a UPEK system; and quite possibly still operating with the UPEK Protector Suite.

Fingerprint biometric authentication is sold on the basis that it combines ease of use with increased security. With the UPEK system, extra security is sold on the basis of the inviolability of fingerprints. Ease of use comes from simply ‘swiping’ a finger across the reader. Instant access comes by caching the passwords.

But those passwords are stored unencrypted in the Registry. “Having physical access to a laptop running UPEK Protector Suite, we could extract passwords to all user accounts with fingerprint-enabled logon,” says Elcomsoft. “UPEK Protector Suite simply stores the original password to Windows account, making it possible for an intruder to obtain one.”

The problem is widespread. “It is not limited to a certain laptop model or manufacturer,” says Elcomsoft. “All laptops equipped with UPEK fingerprint readers and running UPEK Protector Suite are susceptible. If you ever registered your fingerprints with UPEK Protector Suite for accelerated Windows logon and typed your account password there, you are at risk.”

The solution, it says, is to launch the UPEK Protector Suite and disable the Windows logon feature. “That should clear the stored password for your account.”

This article is featured in:
Biometrics  •  Identity and Access Management  •  Wireless and Mobile Security


Comment on this article

You must be registered and logged in to leave a comment about this article.

We use cookies to operate this website and to improve its usability. Full details of what cookies are, why we use them and how you can manage them can be found by reading our Privacy & Cookies page. Please note that by using this site you are consenting to the use of cookies. ×