A researcher said a fix released by Authentec on Sept. 18 falls short of repairing a serious vulnerability in the company’s UPEK Protector Suite fingerprint reader software used as an authenticator on many new consumer and business laptops.

Researchers Adam Caudill and Brandon Wilson this week released a proof-of-concept Windows executable to Github and were working on a Metasploit module that would enable a user to extract Windows passwords from the biometric reader. The exploit took advantage of a weak encryption implementation in the reader.

The new version of Protector Suite released less than a month ago does change the encryption implementation in the product and does break Caudill and Wilson’s proof-of-concept exploit, but Caudill told Threatpost the patch would be easy to work around.

“It’s a Band-Aid at best,” Caudill said.

Caudill and Wilson recreated research done by a Russian security company ElcomSoft, which originally discovered the flawed encryption implementation in the product. ElcomSoft discovered that the reader stores Windows account passwords in a local registry and the encryption key for password data is generated using MD5 hashing which is used as the same seed value for every key. The key is 56 bits, too small for effective security, Caudill said.

The latest version protects the seed value, but still uses only 56 bits of encryption, Caudill said. The new seed value stored in the registry that’s used in the key-generation process is protected with Microsoft’s DPAPI, which Caudill said defaults to AES-256 encryption on Windows 7.

“The user’s password is still in the registry, they are still crippling the encryption used to protect it by only setting 56 bits of the encryption key,” Caudill said. “But they are no longer using a fixed key, which is certainly a good thing. I’ve no idea why they didn’t use DPAPI to protect the user data instead of just the seed. [That] makes no sense to me.”

Authentec and Apple did not respond to multiple requests for comment.

Caudill said he would be surprised if he and Wilson were the only researchers pursuing exploits.

“Given how popular these devices are in corporate environments, this is a valuable target,” Caudill said. “We released [the exploit] so that pen-testers and auditors could identify these vulnerable credentials and deal with them, before real attackers get them.”

UPEK Protector Suite fingerprint readers are found on many popular PCs and laptops, including new machines from Dell, Lenovo, Asus and many others.

Categories: Vulnerabilities