Major Security Issue with Vendor’s Biometric Software
A major security
issue was discovered with a vendor’s biometric software. More specifically, “Laptops
from various manufacturers including four of the world's top five largest PC
makers, sport fingerprint readers with a flaw in their software described as ‘nothing
but a big, glowing security hole compromising the entire security model of
Windows accounts’” (Fontana, 2012) . This is a huge
security risk because biometric software is supposed to offer more security. Instead,
it is offering much less security just so that a user can login with the swipe
of a finger. This defeats the entire point of a fingerprint reader.
A Microsoft certified partner stated the following about the fingerprint reader security
vulnerability, “[With the biometric fingerprint reader enabled] Windows account
passwords are stored in the Windows registry almost in plain text, barely
scrambled but not encrypted” (Fontana, 2012) . If you enable the
fingerprint reader now your password is practically stored in plain text. I’m
not sure what the point of even having a password is if a user enable’s the
fingerprint reader. According to Olga Koksharova, “We could extract passwords
to all user accounts with fingerprint-enabled logon. Putting things into
perspective: Windows itself never stores account passwords unless you enable ‘automatic
login,’ which is discouraged by Microsoft” (Fontana, 2012) . The fingerprint
reader allows for the user’s password to be easily extracted. This is a
horrible security flaw!
Another
interesting fact about the UPEK Protector Suite software is that, “Hackers
compromising the UPEK software could gain access to all the files and documents
on a PC. Elcomsoft notes that hackers would not be able to access EFS-encrypted
files without knowledge of the Windows account password” (Fontana, 2012) . Elcomsoft stated that users of UPEK
software should disable the Windows logon feature which would help this
problem. (Fontana, 2012) However, to me it
seems that this is risky as well because I have used fingerprint readers and
they won’t always let you login. Therefore, you would want to have the option
to use your Windows logon if your fingerprint will not scan.
Sadly, I think the
best solution is to disable the fingerprint reader and only use the Windows logon
feature. “Elcomsoft’s website had a humorous comment from Kevin Mitnick, a
famous hacker and social engineer, “I want to thank Elcomsoft for providing the
best password auditing and recovery tools on the market” (Fontana, 2012) . This comment made me laugh because
Kevin Mitnick was clearly being humorous. I hope this company learns from this well-known
hacker’s comment and takes action to fix their fingerprint software.
Reference:
Fontana, J. (2012, September 5). Vendor’s Biometric
Software Compromises “Entire Security Model of Windows Accounts”. Retrieved
October 28, 2013, from ZDNet:
http://www.zdnet.com/vendors-biometric-software-compromises-entire-security-model-of-windows-accounts-7000003784/
