ElcomSoft has discovered a security hole in UPEK fingerprint reader software

September 6, 2012 by Bob Yirka report
Image credit: Wikimedia.

(Phys.org)—Russian security firm ElcomSoft has posted a blog entry, courtesy of Marketing Director Olga Koksharova, claiming that UPEK software that was preloaded on laptops and other computers to run hardware fingerprint readers, has a huge security hole in it. In the blog entry, Koksharova says her company has found that the UPEK code saves user passwords in the Windows registry in a "barely scrambled" form, and thus is obviously not encrypted, meaning those that gain physical access to the computer can very easily circumvent the fingerprint login process and gain access to all user files.

UPEK software has been until recently, the leading supplier of preloaded software that connects to hardware to allow users to swipe their finger over a device to gain access to a locked computer rather than typing in a password. The idea is that it's easier for users to a finger then to remember and enter sometimes long and complicated passwords. And until now, swiping with a finger has been thought to be more secure than using a password because of the uniqueness of and the sometimes simple passwords that people use.

ElcomSoft is warning that all computers with UPEK software installed (and in use) are at risk, and users should take steps to have the password files removed and the software disabled. New laptops are not at risk as UPEK was purchased by another company and now different software (TrueSuite®) is preinstalled on computers that come with fingerprint reading software (which means most laptops). ElcomSoft says they tested a number of laptops and found they were able to break into every one of them with relative ease due to the they've found. They note also that Windows itself never stores in plaintext, with the exception of machines that don't require a password for entry.

Prior to 2010, UPEK software was preinstalled on virtually every well known brand of ; sixteen manufacturers in all. ElcomSoft says that Authentic, the company that bought UPEK, has been aware of the security breach for some time and wisely chose to change the software now preinstalled on laptops, but at the same time has failed to notify consumers, leaving millions at considerable risk.

Explore further: Tired of Passwords? Replace Them With Your Fingerprint

Related Stories

Tired of Passwords? Replace Them With Your Fingerprint

September 14, 2004

If you're like most people, you have more than a dozen passwords and user names to remember. Whether you're checking your e-mail for new messages, catching up on the news, posting to a Web discussion group, or playing games ...

Help! How to avoid fast-moving computer worm

January 28, 2009

Since early January, a worm that has been referred to by several names, including "Downadup," "Kido" and "Conficker," has been infecting millions of computers around the world. The worm exploits a previously discovered vulnerability ...

Are you any good at creating passwords?

January 30, 2010

There's an interesting little study that's been done by security firm Imperva, which analyzed some 32 million passwords posted online in December by some enterprising hacker.

ElcomSoft undoes Apple's location security fix

May 25, 2011

(PhysOrg.com) -- ElcomSoft, a Russian computer forensics company that first came to the attention of the public in 2002 when it was sued and cleared of violations of the Digital Millennium Copyright Act for its eBook copyright ...

Password breach spreads beyond LinkedIn

June 7, 2012

More websites admitted security breaches Thursday after LinkedIn said some of its members' passwords were stolen, and experts warned of email scams targeting users of the social network.

Recommended for you

Drone market to hit $10 billion by 2024: experts

October 3, 2015

The market for military drones is expected to almost double by 2024 to beyond $10 billion (8.9 billion euros), according to a report published Friday by specialist defence publication IHS Jane's Intelligence Review.

Radio frequency 'harvesting' tech unveiled in UK

September 30, 2015

An energy harvesting technology that its developers say will be able to turn ambient radio frequency waves into usable electricity to charge low power devices was unveiled in London on Wednesday.

Professors say US has fallen behind on offshore wind power

September 29, 2015

University of Delaware faculty from the College of Earth, Ocean, and Environment (CEOE), the College of Engineering and the Alfred Lerner School of Business and Economics say that the U.S. has fallen behind in offshore wind ...

1 comment

Adjust slider to filter visible comments by rank

Display comments: newest first

not rated yet Sep 17, 2012
This can be adddressed by using BIO-keys Web-key platform. It provides the highest level of security of any technology tested, the highest NIST rated algorithm in the world..
It also provides the only universal access platform supporting all readers from almost every maker in the world.. Used by the FBI and others.

Please sign in to add a comment. Registration is free, and takes less than a minute. Read more

Click here to reset your password.
Sign in to get notified via email when new comments are made.