ElcomSoft has discovered a security hole in UPEK fingerprint reader software

Sep 06, 2012 by Bob Yirka report
fingerprint
Image credit: Wikimedia.

(Phys.org)—Russian security firm ElcomSoft has posted a blog entry, courtesy of Marketing Director Olga Koksharova, claiming that UPEK software that was preloaded on laptops and other computers to run hardware fingerprint readers, has a huge security hole in it. In the blog entry, Koksharova says her company has found that the UPEK code saves user passwords in the Windows registry in a "barely scrambled" form, and thus is obviously not encrypted, meaning those that gain physical access to the computer can very easily circumvent the fingerprint login process and gain access to all user files.

UPEK software has been until recently, the leading supplier of preloaded software that connects to hardware to allow users to swipe their finger over a device to gain access to a locked computer rather than typing in a password. The idea is that it's easier for users to a finger then to remember and enter sometimes long and complicated passwords. And until now, swiping with a finger has been thought to be more secure than using a password because of the uniqueness of and the sometimes simple passwords that people use.

ElcomSoft is warning that all computers with UPEK software installed (and in use) are at risk, and users should take steps to have the password files removed and the software disabled. New laptops are not at risk as UPEK was purchased by another company and now different software (TrueSuite®) is preinstalled on computers that come with fingerprint reading software (which means most laptops). ElcomSoft says they tested a number of laptops and found they were able to break into every one of them with relative ease due to the they've found. They note also that Windows itself never stores in plaintext, with the exception of machines that don't require a password for entry.

Prior to 2010, UPEK software was preinstalled on virtually every well known brand of ; sixteen manufacturers in all. ElcomSoft says that Authentic, the company that bought UPEK, has been aware of the security breach for some time and wisely chose to change the software now preinstalled on laptops, but at the same time has failed to notify consumers, leaving millions at considerable risk.

Explore further: Tecnalia designs an app to help elderly people get around on public transport

Related Stories

Tired of Passwords? Replace Them With Your Fingerprint

Sep 14, 2004

If you're like most people, you have more than a dozen passwords and user names to remember. Whether you're checking your e-mail for new messages, catching up on the news, posting to a Web discussion group, ...

ElcomSoft undoes Apple's location security fix

May 25, 2011

(PhysOrg.com) -- ElcomSoft, a Russian computer forensics company that first came to the attention of the public in 2002 when it was sued and cleared of violations of the Digital Millennium Copyright Act for ...

Password breach spreads beyond LinkedIn

Jun 07, 2012

More websites admitted security breaches Thursday after LinkedIn said some of its members' passwords were stolen, and experts warned of email scams targeting users of the social network. ...

Help! How to avoid fast-moving computer worm

Jan 28, 2009

Since early January, a worm that has been referred to by several names, including "Downadup," "Kido" and "Conficker," has been infecting millions of computers around the world. The worm exploits a previously discovered vulnerability ...

Are you any good at creating passwords?

Jan 30, 2010

There's an interesting little study that's been done by security firm Imperva, which analyzed some 32 million passwords posted online in December by some enterprising hacker.

Sony PlayStation network users face password change

May 01, 2011

Users of Sony's PlayStation Network will have to change their passwords, the Japanese entertainment and technology giant said Sunday as it looks to boost security after its system was hacked.

Recommended for you

Google worker shows early-draft glimpse of Chrome OS

Jul 20, 2014

The Chrome OS is in for a future look. Athena, a Chromium OS project, will bring forth the new Chrome OS user experience. Google's François Beaufort on Friday, referring to the screenshot he posted, said," ...

Google eyes Chrome on Windows laptop battery drain

Jul 19, 2014

Google Chrome on Microsoft Windows has been said to have a problem for some time but this week comes news that Google will give it the attention others think the problem quite deserves. Namely, Google is to ...

User comments : 1

Adjust slider to filter visible comments by rank

Display comments: newest first

denwil
not rated yet Sep 17, 2012
This can be adddressed by using BIO-keys Web-key platform. It provides the highest level of security of any technology tested, the highest NIST rated algorithm in the world..
It also provides the only universal access platform supporting all readers from almost every maker in the world.. Used by the FBI and others.