Laptop Fingerprint Readers Vulnerable To Password Hacks

[InfoSec News <alerts () infosecnews org>]

http://www.informationweek.com/security/vulnerabilities/laptop-fingerprint-readers-vulnerable-to/240006528

By Mathew J. Schwartz
InformationWeek
August 30, 2012

Beware of a "major flaw" in the UPEK Protector Suite software that's 
been preinstalled on many laptops with built-in UPEK fingerprint 
readers.

That warning comes from ElcomSoft, a Russian provider of 
encryption-cracking software.

"After analyzing a number of laptops equipped with UPEK fingerprint 
readers and running UPEK Protector Suite, we found that your Windows 
account passwords are stored in [the] Windows registry almost in plain 
text, barely scrambled but not encrypted," said Olga Koksharova, 
marketing director at ElcomSoft, in a blog post. As a result, anyone 
with physical access to a laptop that runs the UPEK Protector Suite can 
"extract passwords to all user accounts with fingerprint-enabled logon," 
she said.

To mitigate the information security vulnerability, she advised anyone 
with a laptop that has UPEK Protector Suite installed to ensure that the 
"Windows logon feature" in the software is disabled for all accounts on 
the machine, which should then clear all stored passwords. She noted 
that UPEK's biometric software has been included on devices manufactured 
by Acer, Asus, Dell, Gateway, Lenovo, MSI, NEC, Samsung, Sony, and 
Toshiba.

[...]