Week 10 Blog

Major Security Issue with Vendor’s Biometric Software

A major security issue was discovered with a vendor’s biometric software. More specifically, “Laptops from various manufacturers including four of the world's top five largest PC makers, sport fingerprint readers with a flaw in their software described as ‘nothing but a big, glowing security hole compromising the entire security model of Windows accounts’” (Fontana, 2012). This is a huge security risk because biometric software is supposed to offer more security. Instead, it is offering much less security just so that a user can login with the swipe of a finger. This defeats the entire point of a fingerprint reader.

A Microsoft certified partner stated the following about the fingerprint reader security vulnerability, “[With the biometric fingerprint reader enabled] Windows account passwords are stored in the Windows registry almost in plain text, barely scrambled but not encrypted” (Fontana, 2012). If you enable the fingerprint reader now your password is practically stored in plain text. I’m not sure what the point of even having a password is if a user enable’s the fingerprint reader. According to Olga Koksharova, “We could extract passwords to all user accounts with fingerprint-enabled logon. Putting things into perspective: Windows itself never stores account passwords unless you enable ‘automatic login,’ which is discouraged by Microsoft” (Fontana, 2012). The fingerprint reader allows for the user’s password to be easily extracted. This is a horrible security flaw!

Another interesting fact about the UPEK Protector Suite software is that, “Hackers compromising the UPEK software could gain access to all the files and documents on a PC. Elcomsoft notes that hackers would not be able to access EFS-encrypted files without knowledge of the Windows account password” (Fontana, 2012). Elcomsoft stated that users of UPEK software should disable the Windows logon feature which would help this problem. (Fontana, 2012) However, to me it seems that this is risky as well because I have used fingerprint readers and they won’t always let you login. Therefore, you would want to have the option to use your Windows logon if your fingerprint will not scan.

Sadly, I think the best solution is to disable the fingerprint reader and only use the Windows logon feature. “Elcomsoft’s website had a humorous comment from Kevin Mitnick, a famous hacker and social engineer, “I want to thank Elcomsoft for providing the best password auditing and recovery tools on the market” (Fontana, 2012). This comment made me laugh because Kevin Mitnick was clearly being humorous. I hope this company learns from this well-known hacker’s comment and takes action to fix their fingerprint software. 

Reference:

Fontana, J. (2012, September 5). Vendor’s Biometric Software Compromises “Entire Security Model of Windows Accounts”. Retrieved October 28, 2013, from ZDNet: http://www.zdnet.com/vendors-biometric-software-compromises-entire-security-model-of-windows-accounts-7000003784/