ElcomSoft has discovered a security hole in UPEK fingerprint reader software

September 6, 2012 by Bob Yirka report
Image credit: Wikimedia.

(Phys.org)—Russian security firm ElcomSoft has posted a blog entry, courtesy of Marketing Director Olga Koksharova, claiming that UPEK software that was preloaded on laptops and other computers to run hardware fingerprint readers, has a huge security hole in it. In the blog entry, Koksharova says her company has found that the UPEK code saves user passwords in the Windows registry in a "barely scrambled" form, and thus is obviously not encrypted, meaning those that gain physical access to the computer can very easily circumvent the fingerprint login process and gain access to all user files.

UPEK software has been until recently, the leading supplier of preloaded software that connects to hardware to allow users to swipe their finger over a device to gain access to a locked computer rather than typing in a password. The idea is that it's easier for users to a finger then to remember and enter sometimes long and complicated passwords. And until now, swiping with a finger has been thought to be more secure than using a password because of the uniqueness of and the sometimes simple passwords that people use.

ElcomSoft is warning that all computers with UPEK software installed (and in use) are at risk, and users should take steps to have the password files removed and the software disabled. New laptops are not at risk as UPEK was purchased by another company and now different software (TrueSuite®) is preinstalled on computers that come with fingerprint reading software (which means most laptops). ElcomSoft says they tested a number of laptops and found they were able to break into every one of them with relative ease due to the they've found. They note also that Windows itself never stores in plaintext, with the exception of machines that don't require a password for entry.

Prior to 2010, UPEK software was preinstalled on virtually every well known brand of ; sixteen manufacturers in all. ElcomSoft says that Authentic, the company that bought UPEK, has been aware of the security breach for some time and wisely chose to change the software now preinstalled on laptops, but at the same time has failed to notify consumers, leaving millions at considerable risk.

Explore further: Tired of Passwords? Replace Them With Your Fingerprint

Related Stories

Tired of Passwords? Replace Them With Your Fingerprint

September 14, 2004

If you're like most people, you have more than a dozen passwords and user names to remember. Whether you're checking your e-mail for new messages, catching up on the news, posting to a Web discussion group, or playing games ...

Help! How to avoid fast-moving computer worm

January 28, 2009

Since early January, a worm that has been referred to by several names, including "Downadup," "Kido" and "Conficker," has been infecting millions of computers around the world. The worm exploits a previously discovered vulnerability ...

Are you any good at creating passwords?

January 30, 2010

There's an interesting little study that's been done by security firm Imperva, which analyzed some 32 million passwords posted online in December by some enterprising hacker.

ElcomSoft undoes Apple's location security fix

May 25, 2011

(PhysOrg.com) -- ElcomSoft, a Russian computer forensics company that first came to the attention of the public in 2002 when it was sued and cleared of violations of the Digital Millennium Copyright Act for its eBook copyright ...

Password breach spreads beyond LinkedIn

June 7, 2012

More websites admitted security breaches Thursday after LinkedIn said some of its members' passwords were stolen, and experts warned of email scams targeting users of the social network.

Recommended for you

Nevada researchers trying to turn roadside weed into biofuel

November 26, 2015

Three decades ago, a University of Nevada researcher who obtained one of the first U.S. Energy Department grants to study the potential to turn plants into biofuels became convinced that a roadside weed—curly top gumweed—was ...

Glider pilots aim for the stratosphere

November 20, 2015

Talk about serendipity. Einar Enevoldson was strolling past a scientist's office in 1991 when he noticed a freshly printed image tacked to the wall. He was thunderstruck; it showed faint particles in the sky that proved something ...

1 comment

Adjust slider to filter visible comments by rank

Display comments: newest first

not rated yet Sep 17, 2012
This can be adddressed by using BIO-keys Web-key platform. It provides the highest level of security of any technology tested, the highest NIST rated algorithm in the world..
It also provides the only universal access platform supporting all readers from almost every maker in the world.. Used by the FBI and others.

Please sign in to add a comment. Registration is free, and takes less than a minute. Read more

Click here to reset your password.
Sign in to get notified via email when new comments are made.