Widely Used Fingerprint Reader Exposes Windows Passwords in Seconds
Fingerprint-reading software preinstalled on laptops sold by Dell, Sony, and at least 14 other PC makers contains a serious weakness that makes it trivial for hackers with physical control of the machine to quickly recover account passwords, security researchers said.
The UPEK Protector Suite, which was acquired by Melbourne, Florida-based Authentec two years ago, is marketed as a secure means for logging into Windows computers using an owner’s unique fingerprint, rather than a user-memorized password. In reality, using the software makes users less secure than they otherwise would be. When activated, the software writes Windows account passwords to the registry and encrypts them with a key that is easy for hackers to retrieve. Once the key has been acquired, it takes seconds to decrypt the password.
“After analyzing a number of laptops equipped with UPEK fingerprint readers and running UPEK Protector Suite, we found that your Windows account passwords are stored in Windows registry almost in plain text, barely scrambled but not encrypted,” said an advisory issued by Elcomsoft, a Russia-based developer of password-cracking software. “Having physical access to a laptop running UPEK Protector Suite, we could extract passwords to all user accounts with fingerprint-enabled logon.”
When Protector Suite isn’t activated, Windows doesn’t store account passwords in the registry unless users have specifically configured an account to automatically log in. Security experts have long counseled people not to use automatic login.