ElcomSoft Discovers a Major Security Hole in Laptops with UPEK Fingerprint Readers


ElcomSoft Co. Ltd. analyzed a number of laptops equipped with UPEK fingerprint readers, and discovered the existence of a major security hole. If fingerprint login is enabled for a certain user, UPEK software is storing passwords to that Windows account in plain text, allowing the analyst to break into that account without performing a lengthy (and not always successful) attack on the password. With every other laptop equipped with a UPEK-manufactured fingerprint reader, the scope of the issue is extremely broad.

The vulnerability, when exploited, makes it possible for the analyst to instantly obtain the original plain-text password to a Windows account. Knowing the original plain-text password to a Windows account allows, among other things, seamlessly accessing encrypted files stored in EFS (Encrypting File System).

The vulnerability is not limited to a certain model or brand of laptop PCs. Instead, it applies to all laptops equipped with all models of UPEK fingerprint readers. ElcomSoft researchers were able to successfully extract plain-text passwords to multiple Windows accounts that were fingerprint login enabled.

More info: http://blog.crackpassword.com/2012/08/upek-fingerprint-readers-a-huge-security-hole/