Another security weakness had been identified by different consultants to prove that hackers with physical access to a computer manufactured by Acer, Dell, and 14 other PC makers can easily recover passwords for a Windows account.
The versions of fingerprint-reading software dubbed as UPEK Protector Suite contain the vulnerability. Apple acquired the software company Authentec for $356 million, which also bought a smaller UPEK about 2 years ago. Although the vulnerability was already known as of September, Apple did not release any official word about the issue or offered any work around for end users. There has been no reports of complaints or accusations against Apple as responsible for the apparent weakness of the fingerprint-reading program.
The said software has established itself in the market as an excellent alternative for securely logging into a PC using an owners fingerprint instead of the conventional password. Last September, a Russian company called Elcomsoft that specializes in password-cracking divulged that UPEK does not make users more secure as it stores Windows account passwords to the registry with weakly encrypted key that can be unlocked quickly by hackers. With right tools, it will only take seconds to recover a password Elcomsoft added. The company did not release any technical details to prevent the vulnerability from spreading.
Two additional security experts confirmed that they have independently verified the same weakness and they released an open-source software to allow others to exploit it. The pair said they decided to release the software for educational purposes.
“From a penetration testing perspective, local administrator access is required to obtain the necessary registry key’s value, so it only matters if you already have control of the PC,” said Brandon Wilson, one of the security consultants in an interview with Ars. “But since so many of these devices are used in corporate environments, it makes it easy to obtain domain credentials, and from there, easily expand an attack to other systems.”
The Protector Suite does not store Windows account passwords when it is not active. However, if a user set the computer to automatically log in everytime, Windows will also automatically store passwords in the registry. Automatic log-ins have been discouraged by security experts at the start of its introduction but many people still finds the feature convenient. It was previously thought that disabling the Windows login feature from the software itself would remove the password from the registry but this is not the case, the dou confirmed. Only if the “passport” for a user data is deleted from Protector Suite itself that the password will also be deleted.
Wilson also confirmed that every version he and his partner tested showed the same vulnerability. Other PC makers that preinstalled the software are: Asus, Amoi, Compal, Clevo, Dell, Gateway, IBM/Lenovo, MPC, Itronix, NEC, MSI, Samsung, Sager, Sony, and Toshiba. The same program was renamed by Lenovo as ThinkVantage Fingerprint Software.
It is interesting to note that despite the vulnerability warning, there has been no announcement of recall or official caution from parties involved.