Now that word is out on a serious password bug in the ubiquitous UPEK Protector Suite fingerprint readers found in most new laptops today, Apple-owned Authentec surely will be able to fix the issue on the double. Not so fast, says one of the researchers looking at the problem.
“It’s a system that’s deeply flawed. At this point all they can do is make it harder, but they won’t be able to stop this kind of attack without some pretty significant changes,” said Adam Caudill, a software developer and self-proclaimed amateur security researcher. “It’s quite likely that whatever patch they release – it could be worked around quickly.”
Caudill and fellow researcher Brandon Wilson recreated work done by Russian security company ElcomSoft, which specializes in password recovery solutions. Both were able to extract Windows passwords from the popular fingerprint reader, technology that was acquired by Apple earlier this year.
The issue lies in a poor encryption implementation where passwords are stored in little more than plain-text, Caudill said. He added there is a significant mitigation in that an attacker would need physical access to a machine and the registry keys involved have their permissions set to Local Admin.
“For individual users, I don’t think this is too bad,” Caudill said. “[But] because of password reuse, it could make things worse, but not the end of the world. It’s in corporate environments that this is a bigger deal since an attacker can easily get the Windows password, they can spread their attack to other machines and other systems far more quickly.”
Caudill and Wilson posted a proof-of-concept Windows executable and code to Github, and are working on a Metasploit module, that will help companies pen-test their systems.
“I would be very surprised if we were the only people pursuing this,” Gaudill said. “Given how popular these devices are in corporate environments, this is a valuable target. We released this so that pen-testers and auditors could identify these vulnerable credentials and deal with them, before real attackers get them.”
The reader stores Windows account passwords in a local registry key. Caudill explained on his blog that the encryption key for password data is generated using a PBKDF2-like function (password-based key derivation function) that uses MD5 hashing. When storing data in the registry, he said, no password is used. “So the outcome is based purely on an MD5 hash that they are using as a seed value. This means that the key used is always the same,” he wrote.
Worse, Caudill said, the key used to encrypt the user’s password and biometric data is only 56 bits, too small for effective security.
“So the net effect is that all users get the same key,” he said. “From a crypto perspective, this is pretty much just horrible. I have no evidence of it, but I wouldn’t’ be surprised to learn that somebody else recreated this research as well, but for malicious use.”
Dell, IBM/Lenovo, Asus, Sony, Toshiba and many other popular PC makers include UPEK Protector Suite software on their machines. ElcomSoft, meanwhile, first warned users about the flaw in late August, and advises users to disable the Windows log-on feature in UPEK. Researcher Olga Koksharova said this should clear the stored password for an account. “Note that you should clear all stored account passwords to protect all user accounts,” she said.