
Laptop fingerprint reader destroys 'entire security model of Windows accounts' - vectorbunny
https://www.networkworld.com/community/blog/laptop-fingerprint-reader-destroys-entire-security-model-windows-accounts
======
llgrrl_
Not the first time that fingerprint readers are deemed the wrong answer (to
the "wrong" problem? -- one better not trust their own fingerprints to keep
their data secure)

From ThinkWiki: <http://www.thinkwiki.org/wiki/Integrated_Fingerprint_Reader>

The UPEK device is supported by thinkfinger. Those devices and Authentec ones
are supported by libfprint.

However: The fingerprint reader is an INSECURE device and gives a false sense
of security! There has been quite a bit of research by a hacker named Starbug,
a member of the Chaos Computer Club, Berlin, Germany. He outlined in two very
good talks how to forge each and every available fingerprint sensor available
at the cost of a few euros, using materials from your local hardware store, a
digicam and a laser printer!

Remember, using fingerprints for authentication is much similar to having a
password which is written on anything you touch.

~~~
bittermang
And can't be changed. Because they are, you know, attached to you.

I lose a jump drive containing a key file? Easily change the keys on the
server. The lost key is no good to anyone anymore.

My fingerprints get compromised? Uh... cut my own fingers off? Nope, they
still have access. And now I have no fingers.

------
maratd
> UPEK stores Windows account passwords in the registry

OK, let's say that's true. If you're also using Bitlocker (
<http://en.wikipedia.org/wiki/BitLocker_Drive_Encryption> ), which you should
be if you're that concerned about somebody breaching your system ...

Then the only way somebody could access the registry is if they had malware
installed on your computer or had an account on your system with administrator
privileges. If either is true, you're already screwed anyway.

I would be more concerned with the fact that fingerprint readers are really
easy to foil without any wacky software doing funny things.

------
mstromb
I have a circa-2009 Lenovo with a fingerprint reader. On my current Windows
install, I didn't bother to track down the fingerprint reader software as
Windows Update seemed to take care of the driver for it. Is there any way to
figure out what software Microsoft is currently distributing (UPEK Protector
Suite vs AuthenTec TrueSuite)? The article seemed to imply the latter does not
have this flaw, even if the hardware originally came from UPEK.

~~~
acqq
Just go to Device manager, find the fingerprint reader, show driver details.
On my computer it's AuthenTec from 2009.

~~~
Karunamon
That won't show the management software though, will it? It's using UPEK
drivers because it's a UPEK reader in my case (Thinkpad R61), but the actual
fingerprint enrollment and login management is handled through the
ThinkVantage software.

------
rlu
I don't have one of these compuetrs so I don't know how it works but by
reading the article it seems to me like you need to supply _a_ password to the
software which is then stored in almost plain text. The assumption the article
is making is that people will enter their Windows account password?

Correct me if I'm wrong.

~~~
ljf
You have to supply your windows password to the software. When you swipe your
finger the software then supplies your password to the computer and logs you
in without you having to type it.

~~~
ithkuil
why is actually this necessary? In linux, you could create a PAM module that
proofs your identity somehow and then says "ok" to the login subsystem.

There is no need to know your password in order to log you in, if the security
subsystem is well designed.

On the other hand, if your home volume is encrypted, the system has to get the
right key somehow; so the key itself should be stored in a way that's
accessible to the fingerprint auth software (i.e. in clear).

Usually the encryption key is based on the user password but it doesn't have
to be the cleartext password. So, using biometrics only, the home volume
encryption is weakened, but the password isn't necessarily revealed, and
that's an important distinction given that most of the people use the same (or
few) password(s) everywhere.

~~~
maxerickson
I'm no expert, but it probably isn't necessary:

<http://msdn.microsoft.com/en-us/magazine/cc163803.aspx>

So it's more that it is a poor implementation.

------
mike-cardwell
I specifically opted out of the fingerprint reader when I bought my Lenovo
T420 Thinkpad last year. I spent a little time researching them before the
purchase and found so many problems with so many readers that I wouldn't feel
safe using one, even if it didn't have any currently known vulnerabilities.

On the other hand, for most people, with a different convenience:security
ratio than mine, they're probably still fine. I was specifically trying to
build a secure laptop.

------
singlow
This seems to say that it is a vulnerability with the Accelerated Log-in
feature. I used to run Windows on my thinkpad and I tried that out for a few
minutes but it seemed like bad news. You swipe your finger at boot time to
unlock the BIOS and it automatically logs into windows after windows loads. I
knew it was doing something that was likely to be bad and turned it off.

------
yason
Using the fingerprint reader as the 'enter' key after typing your real
password would be rather secure.

------
hackmiester
Does anyone know if DigitalPersona readers, such as the one in my HP
TouchSmart tm2t tablet, are similarly insecure? They seem to not need the
Windows password to configure, but I could be mistaken.

------
andrewcooke
the company is denying this -
[http://nakedsecurity.sophos.com/2012/09/06/fingerprint-
scann...](http://nakedsecurity.sophos.com/2012/09/06/fingerprint-scanner-
security-warning/) (link from late in the article) - but the vulnerability
sounds like it could be relatively easy to check (for example, are the stored
passwords the same length as the plaintext, or a typical AES block size?).

does anyone have this installed? if so, what do the data in the registry look
like?

~~~
deltaqueue
I have a 2011 Lenovo X220 that has a reader made by UPEK, but it doesn't
employ "ProtectorSuite" software. Lenovo has their own suite of management
applications called ThinkVantage; one of which being "fingerprint reader"
management.

I checked the registry but I'm not sure where to look. Searching for "UPEK"
didn't yield anything resembling a scrambled or encrypted string in or around
the search results, and "fingerprint" rendered too many results.

~~~
andrewcooke
ah well, thanks for looking (i have one too, but it's running linux!)

edit: also, see other answer below for how to check whether it's using the
software described.

