A researcher said a fix released by Authentec on Sept. 18 falls short of repairing a serious vulnerability in the company’s UPEK Protector Suite fingerprint reader software used as an authenticator on many new consumer and business laptops.
Researchers Adam Caudill and Brandon Wilson this week released a proof-of-concept Windows executable to Github and were working on a Metasploit module that would enable a user to extract Windows passwords from the biometric reader. The exploit took advantage of a weak encryption implementation in the reader.
The new version of Protector Suite released less than a month ago does change the encryption implementation in the product and does break Caudill and Wilson’s proof-of-concept exploit, but Caudill told Threatpost the patch would be easy to work around.
Caudill and Wilson recreated research done by a Russian security company ElcomSoft, which originally discovered the flawed encryption implementation in the product. ElcomSoft discovered that the reader stores Windows account passwords in a local registry and the encryption key for password data is generated using MD5 hashing which is used as the same seed value for every key. The key is 56 bits, too small for effective security, Caudill said.
The latest version protects the seed value, but still uses only 56 bits of encryption, Caudill said. The new seed value stored in the registry that’s used in the key-generation process is protected with Microsoft’s DPAPI, which Caudill said defaults to AES-256 encryption on Windows 7.