"All laptops equipped with UPEK fingerprint readers and running UPEK Protector Suite are susceptible", says Elcomsoft


Related Links

Related Stories

  • Fingerprint authentication introduced by Vietnam bank
    Fourteen years after the Nationwide Building Society introduced and abandoned iris recognition at its UK ATMs, the Mekong Development Bank (MDB) in Vietnam introduces Temenos fingerprint authentication at its NCR ATMs.
  • How safe is your iCloud data?
    Last month, Ars Technica asked the question, ‘Can Apple give police a key to your encrypted iPhone data?’ It concluded that it probably could not for the data on the device; but probably could for data stored in iCloud. Now the question has less relevance, with the latest version of ElcomSoft’s EPPB and the increasing use of iCloud.
  • Elcomsoft enhances password recovery software to crack encrypted BlackBerry media cards
    Russian password recovery specialist has enhanced its Phone Password Breaker software to crack encrypted media cards for the BlackBerry smartphone. The password recovery specialist claims the software's password recovery rate on the BlackBerry is in the order of millions passwords per second.
  • Biometrics: How and Now?
    Using biometric data for identity access and management can be a controversial move. Esther Shein examines the drawbacks, and looks at where and how biometrics are currently being used
  • Russia's Elcomsoft dissects the iPhone's encryption system
    Elcomsoft, the Russian IT decryption and password recovery expert, has been focusing its attentions on the encryption technology at the heart of the iPhone and its host iTunes package for computers.
  • Lifting the Digital Fingerprints
    No matter what your business, it’s likely the audit man (or woman) will ring your door at least once. Ted Kritsonis gets advice on how to make this experience a bit more comfortable
  • Police use mobile scanners to check fingerprints on the road
    South Yorkshire Police has rolled out mobile fingerprint devices to allow officers to check fingerprints while out on patrol.

Top 5 Stories


More password problems from Windows Registry

29 August 2012

In an announcement that echoes the recent revelations about UserPasswordHint in the Windows Registry, a Russian security firm says passwords protected by a fingerprint swiping system are stored in the Registry in ‘nearly’ plain text.

Jonathan Claudius found that users’ ‘password hints’ can be easily extracted from the Registry. Now Elcomsoft reports that with the UPEK Protector Suite installed (which manages the fingerprint reader) “we found that your Windows account passwords are stored in Windows registry almost in plain text, barely scrambled but not encrypted.”

UPEK was bought by AuthenTec which is now being acquired by Apple. AuthenTec now uses different software, says Elcomsoft. But a few years ago, UPEK dominated the market. Statistically, if you have a laptop that is a couple of years old and has a fingerprint scanner, it is quite likely that it is a UPEK system; and quite possibly still operating with the UPEK Protector Suite.

Fingerprint biometric authentication is sold on the basis that it combines ease of use with increased security. With the UPEK system, extra security is sold on the basis of the inviolability of fingerprints. Ease of use comes from simply ‘swiping’ a finger across the reader. Instant access comes by caching the passwords.

But those passwords are stored unencrypted in the Registry. “Having physical access to a laptop running UPEK Protector Suite, we could extract passwords to all user accounts with fingerprint-enabled logon,” says Elcomsoft. “UPEK Protector Suite simply stores the original password to Windows account, making it possible for an intruder to obtain one.”

The problem is widespread. “It is not limited to a certain laptop model or manufacturer,” says Elcomsoft. “All laptops equipped with UPEK fingerprint readers and running UPEK Protector Suite are susceptible. If you ever registered your fingerprints with UPEK Protector Suite for accelerated Windows logon and typed your account password there, you are at risk.”

The solution, it says, is to launch the UPEK Protector Suite and disable the Windows logon feature. “That should clear the stored password for your account.”

This article is featured in:
Biometrics  •  Identity and Access Management  •  Wireless and Mobile Security


Comment on this article

You must be registered and logged in to leave a comment about this article.

We use cookies to operate this website and to improve its usability. Full details of what cookies are, why we use them and how you can manage them can be found by reading our Privacy & Cookies page. Please note that by using this site you are consenting to the use of cookies. ×