Share this story Getting IT Done. Fingerprint-reading software preinstalled on laptops sold by Dell, Sony, and at least 14 other PC makers contains a serious weakness that makes it trivial for hackers with physical control of the machine to quickly recover account passwords, security researchers said. The, which was two years ago, is marketed as a secure means for logging into Windows computers using an owner's unique fingerprint, rather than a user-memorized password. In reality, using the software makes users less secure than they otherwise would be.
When activated, the software writes Windows account passwords to the registry and encrypts them with a key that is easy for hackers to retrieve. Once the key has been acquired, it takes seconds to decrypt the password. 'After analyzing a number of laptops equipped with UPEK fingerprint readers and running UPEK Protector Suite, we found that your Windows account passwords are stored in Windows registry almost in plain text, barely scrambled but not encrypted,' said an, a Russia-based developer of password-cracking software. 'Having physical access to a laptop running UPEK Protector Suite, we could extract passwords to all user accounts with fingerprint-enabled logon.' When Protector Suite isn't activated, Windows doesn't store account passwords in the registry unless users have specifically configured an account to automatically log in. Security experts have long counseled people not to use automatic login.
That means computers that use the UPEK app are at a severe disadvantage compared with people who use a strong password to log in to a Windows account. The most obvious disadvantage is for those computers that have a Windows feature known as enabled to prevent third parties from accessing sensitive files or folders. The key that unlocks that encrypted data is controlled by a Windows account password. Once the password is retrieved, the EFS-encrypted data stored on the computer can quickly be decrypted. Further, having quick access to the account password could unlock other data that might otherwise be harder to obtain.
The Windows, for example, is also closely tied to account passwords and controls access to credentials used by Outlook, Internet Explorer, and possibly other applications. Of course, any time a PC is physically controlled by a hacker, its passwords are vulnerable to cracking attacks that have.
Protector Suite 2012 Free Download
But without the use of the UPEK Protector Suite, hackers have access only to one-way password hashes, which, depending on the complexity of the underlying passcode, can take years or centuries to recover using brute-force methods. Use of the fingerprint software guarantees the success of the cracking operation, and it can also significantly reduce the time it takes. The easily cracked passwords are stored in the Windows registry even after the Protector Suite software has been deactivated, according to the Elcomsoft advisory. It is only removed when a user manually deletes it. The precise registry location of the encrypted password is not yet known. This article will be updated with instructions for locating and removing it if that information can be obtained. Authentec no longer actively markets Protector Suite, but according to, the app ships—or used to ship—on laptops manufactured by 16 different companies.
In addition to Dell and Acer, other PC makers include Amoi, Asus, Clevo, Compal, Dell, Gateway, IBM/Lenovo, Itronix, MPC, MSI, NEC, Sager, Samsung, Sony, and Toshiba. It's unclear if Authentec officials plan to recall the product or issue an advisory warning laptop owners of the vulnerability. Company representatives didn't respond to Ars Technica e-mails requesting comment for this article. The Elcomsoft findings follow research published last month that showed that from Windows 7 and Windows 8 machines. The discovery serves as a useful reality check for marketers who portray fingerprints and other user biometrics as a panacea for the difficulty of remembering and securing passwords. In fact, biometric readers are only as secure as the software that implements them.
And even when devices are free of such implementation errors, biometrics such as and may be vulnerable to cloning, opening up the possibility of a new class of attacks on the alternate authentication methods. According to Elcomsoft, Authentec officials have already said they're aware of the weakness. If true, it's disappointing that the company has yet to share that knowledge with the millions of people who likely have the software installed on their computers. A tutorial included with UPEK Protector Suite 2009 installed on a Sony Vaio touts the convenience of the application with the tag line: 'Protect your digital privacy.' It goes on to emphasize the benefits of using Protector Suite to encrypt files and folders.
Now that a weakness has come to light that seriously undermines those assurances, Authentec should recall the software, or at the very least warn users that it is susceptible to serious attack.
On August 28th ElcomSoft that they had determined a method to extract Windows passwords from the registry for users of UPEK’s fingerprint readers and Protector Suite software (UPEK is now owned by AuthenTec, which is now owned by Apple). What they didn’t announce was the technical details of how they did it. Myself and have been working to recreate their research – and we have. We have not been in contact with ElcomSoft, so this is an independent re-discovery of this vulnerability.
ElcomSoft has committed to not release details, which I understand – but given how likely it is that others will determine this technique, I believe that this information should be available to pen-testers and auditors so that these insecure credentials can be identified. The Details ElcomSoft blasted the security of UPEK’s product, saying: we found that your Windows account passwords are stored in Windows registry almost in plain text, barely scrambled but not encrypted This isn’t quite accurate – but certainly close enough. The data is stored in the following location (varies by version): HKEYLOCALMACHINE SOFTWARE Virtual Token Passport 4.0 Passport ExData The first 24 bytes are header and size information, after the encrypted data there is a 4 byte number that indicates the number of bytes in the next section, the following bytes are used in the IV.
The encryption key is ‘generated’ using a PBKDF2-like function that uses MD5 hashing, but unfortunately when storing data in the registry they aren’t using a password – so the outcome is based purely on an MD5 hash that they are using as a ‘seed’ value. This means that the key used is always the same. Better: the key is only 56 bits. AES-56 On the AuthenTec’s website they mention using 56-bit AES (due to the old export restrictions) – this confused me for quite some time, not only does AES not support 56-bit (or anything else less than 128 bits), from looking at the algorithm trying to make it support a key size that isn’t a multiple of 32 bits would be quite challenging.
Net Protector Free Download
So how did they do it? They cheated. They are actually using AES-256, and padding both the 56-bit key and IV with nulls. In other words, they are taking a very strong crypto and stripping it of its value.
The Data Besides the Windows password, the data also includes the domain and login (all in Unicode), along with other various bits that’s less interesting from a pen-testing perspective. Looking at the raw data, you can identify the password from the P1 header, 0x11 denotes the login, and 0x12 indicates the domain. The biometric data may be of some interest, but not to me. Code We’ve a proof-of-concept tool to Github, it’s written in C#, and thus requires the.NET 4.0 framework be installed. I also plan to write a Metasploit post module, but it’s not ready yet.
UPDATE So it turns out that AuthenTec a patch for this on 9/18 – and we missed it (as did pretty much everybody else). We were alerted to the patch late on 10/10, and last night (10/11), we completed work on breaking it. We’ve updated the Github repository with the new code, it supports both the old versions and the new version they released on 9/18. They are now using DPAPI (among other things), so if you have the new version, you’ll need to run it in the context of LocalSystem so that you can access the correct encryption keys. This can be done quite easily with psexec – see the for details. From a security perspective, the new version is somewhat more secure – but obviously, still easily attacked.
They are now using a ‘seed’ of 16 random bytes (which is stored in ExData and protected via DPAPI), which is then hashed with SHA1, the hash is then passed into their key derivation method to produce the 56 bit key that is used to encrypt the main data block. Within the main data block there is another DPAPI block where the password was previously stored – this was something of a surprise to us at first, as they had obfuscated the code to hide this part. This second DPAPI block contains the user’s password, and can be easily decrypted with the same method used to decrypt the block containing the ‘seed’ data. Both of the DPAPI calls use the same entropy data – a block of 0x86 bytes, at the beginning is the word ‘Software’ and a 0x01 at offset 0x2B and a 0x05 at 0x43 – and as said above, the DPAPI calls are made in the context of the LocalSystem user, and thus needs to be decrypted within that same context.
The new homepass.dll file contains new anti-debugging code, as well as obfuscated code to complicate reverse engineering – fortunately, or unfortunately depending on your point of view – these new ‘protection’ mechanisms are trivial to bypass. To avoid this becoming a cat & mouse game, we won’t be releasing further updates to this code – but I think it’s safe to say that it’s fundamentally broken, and any fixes they release can be bypassed without excessive effort. I would not trust this software in a corporate environment.