A view from the technical underground
RSS icon Home icon
  • UPEK is better but far from ok.

    Posted on October 28th, 2012 admin No comments

    UPEK is the maker of fingerprint scanners on most of the current laptops. The company was bought last year by a subdivision of Apple called Authentec.

    Turns out that if you use your laptop’s fingerprint reader for windows logon, the password is stored in the registry with a very weak key, which means if someone get a outside logon (3rd party bootdisk) they can look up your login/password up.

    This only works current with windows logon.

    UPEK put out a fix in their forum that addresses the compromise but still uses a weak (56bit) encryption key so it can be easily broken again. They need to encrypt up to AES128 or even better 256 to be considered safe again.

    Confirm locking of your system and don’t allow boot from your USB or CDROM if you use a finger scanner for logon. You should be able to lock from BIOS.

    Distrption of exploit: http://adamcaudill.com/2012/10/07/upek-windows-password-decryption/

    Fix for the September exploit: http://support.authentec.com/Downloads/Windows/ProtectorSuite.aspx

    Still needs to be fixed to be really trusted.