September 6, 2012 report
ElcomSoft has discovered a security hole in UPEK fingerprint reader software
(Phys.org)—Russian security firm ElcomSoft has posted a blog entry, courtesy of Marketing Director Olga Koksharova, claiming that UPEK software that was preloaded on laptops and other computers to run hardware fingerprint readers, has a huge security hole in it. In the blog entry, Koksharova says her company has found that the UPEK code saves user passwords in the Windows registry in a "barely scrambled" form, and thus is obviously not encrypted, meaning those that gain physical access to the computer can very easily circumvent the fingerprint login process and gain access to all user files.
UPEK software has been until recently, the leading supplier of preloaded software that connects to hardware to allow users to swipe their finger over a device to gain access to a locked computer rather than typing in a password. The idea is that it's easier for users to swipe a finger then to remember and enter sometimes long and complicated passwords. And until now, swiping with a finger has been thought to be more secure than using a password because of the uniqueness of fingerprints and the sometimes simple passwords that people use.
ElcomSoft is warning that all computers with UPEK software installed (and in use) are at risk, and users should take steps to have the password files removed and the software disabled. New laptops are not at risk as UPEK was purchased by another company and now different software (TrueSuite®) is preinstalled on computers that come with fingerprint reading software (which means most laptops). ElcomSoft says they tested a number of laptops and found they were able to break into every one of them with relative ease due to the security hole they've found. They note also that Windows itself never stores passwords in plaintext, with the exception of machines that don't require a password for entry.
Prior to 2010, UPEK software was preinstalled on virtually every well known brand of laptop; sixteen manufacturers in all. ElcomSoft says that Authentic, the company that bought UPEK, has been aware of the security breach for some time and wisely chose to change the software now preinstalled on laptops, but at the same time has failed to notify consumers, leaving millions at considerable risk.
© 2012 Phys.org