Posts Tagged ‘Protector Suite’

Elcomsoft, UPEK and more

Tuesday, October 2nd, 2012

[That was one *awesome* passphrase! :-)]

Elcomsoft has announced that certain versions of fingerprint software named Protector Suite made by UPEK (now part of Authentec) stores your Windows password in a ‘scrambled’ format in registry. This allows an attacker through different entry points to get easy access to a users Windows password. I have no reason not to believe Elcomsoft in their claims, but UPEK/Autentec seriously disagrees. In the middle of this I happen to have some questions, and an opinion regarding biometric software today.

Background

I have lost count of all the times colleagues have approached me with a big smile, challenging me to break into their work laptops now that they have enabled fingerprint authentication. Pressing Esc to get the normal logon prompt and then entering my AD username & password logged me in. Having local admin rights made things even easier to conduct pass-the-hash of their locally cached credentials, and smile turned to sadness. Hey, I have even been accused of cheating when I did that.

I purchased my first fingerprint reader back somewhere in 1999. It was complete crap. Many years later I purchased a Microsoft keyboard with integrated fingerprint reader:

I still remember a very clear warning in their documentation: the fingerprint reader should not be trusted for security. It should be considered as a toy. Oh well.

Today the integrated fingerprint readers in many laptops is the most common place we interact with biometric solutions. IF we choose to use it of course – there is no requirement to do so from the vendor. Enter Elcomsoft.

Security vs Convenience

Lots of people – including infosec professionals, doesn’t see the difference  between using biometric authentication as a security feature, and as a convenience feature. Simply explained for the home user:

  1. If you use biometric authentication to logon to your laptop, but can bypass it by pressing Esc and enter your username & password, you are using biometrics as a convenience feature.
  2. If you have removed any and all possibilities to logon except by using/including biometrics, you are using biometrics as a security feature.

The differences here are … well… BIG, at least in theory. But wait; that was for the home user. I don’t care much about your private pictures, christmas wish list and facebook account anyway, so lets look at it from a corporate perspective:

There is no integrated support for replacing passwords with biometric authentication within Microsoft Windows.

This means that any kind of authentication addition or replacement you set up on laptops, tablets or desktop computers in a corporate enviroment with Active Directory, a password still has to be configured for a user in a domain, and that password is what authenticates the user throughout the domain. Using highly advanced visualization tools, hours and hours of hard work and a colorful palette, I made this infographic to explain what happens:

Using biometric logon, we add another step in the authentication process in a corporate environment. Please note; we added one more step, we didn’t necessarily add one more layer of security.

I blogged about upcoming password security features in Windows 8 Password Security. Please observe that using picture password and/or a PIN is an addition to having a password. They are quite simply convenience features. Having said that, I would like to give kudos to Microsoft for doing quite a bit of research into picture passwords and presenting it in such a detailed form that we can make up an opinion about the security it provides.

What did Elcomsoft discover?

Well, they claim that certain versions of the software in question stores your Windows password using weak protection locally (see step 2 in the biometric chain above). Using a simple PoC, they have successfully extracted the stored Windows password from registry by the biometric software and “decrypted” it.

Since the biometric software is local only, it needs to know your Windows password to properly give you both local and domain access. To repeat; your username and password gives you access, not your fingerprint or any other biometric ID. If your password is changed, either locally or in the domain, you will have to provide your new password to the biometric software.

Is this such a big deal?
Yes.

Why?

Good practice is to store passwords using hash irreversible algorithms, preferably strong types such as PBKDF2, Bcrypt or Scrypt. The draft cheat sheet from OWASP on password storage gives more information about such algorithms, and more. Even though Microsoft doesn’t use salting or key stretching in their LM/NTLM algorithms, they are still hash algorithms. You cannot “reverse” the process to get the plaintext password, you have to

My Authentec (Thinkpad) fingerprint software, which is NOT affected by Elcomsofts findings, knows my password (or passphrase in my case), and there is an option in the software to display it on screen, as the video on top shows you.

But I can do pass-the-hash/ticket and more, why is this a big deal?  

Sure you can. But you cannot do those attacks against a Outlook Web Access configuration from the Internet using SSL. You don’t know the users actual password when you do pass-the-hash attacks, so you cannot check if the user uses the same password on other services, at work or on a personal basis.

If my fingerprint – my biometric template – was the secret key to unlock the password using reversible encryption like AES, things could perhaps be considered a bit better, but it would still not be good practice to store any users password using reversible encryption. Which is exactly what is evidenced by my video above.

Now if claims by Elcomsoft are true, malware could easily exploit the weakness found to extract users Windows plaintext passwords in yet another way, adding to the already existing ways of doing so.

I haven’t twisted my mind long enough on this to figure out ways of improving this, but I am open for suggestions. :-)

Source article: http://securitynirvana.blogspot.com/2012/09/elcomsoft-upek-more.html

UPEK Fingerprint Readers: a Huge Security Hole

Tuesday, August 28th, 2012

Most laptops today ship with a fingerprint reader. Most likely, you have a laptop with one. Until very recently, most major manufacturers such as Acer, ASUS, Dell, Gateway, Lenovo, MSI, NEC, Samsung, SONY, Toshiba, and many others were using fingerprint readers manufactured by a single company: UPEK.

Preface

ElcomSoft discovered a major flaw with UPEK Protector Suite, which was the software shipped with the majority of laptops equipped with UPEK fingerprint readers until the company was acquired by Authentec and switched to different software. Even today, when UPEK is acquired by Authentec which now uses TrueSuite® software, many (or most) existing laptop users will simply stay with the old flawed software, not feeling the need to upgrade.

Does Fingerprinting the User Lead to Tighter Security?

Laptops normally come loaded with pre-installed software. Among other things manufacturers install on your brand-new laptop is software communicating with UPEK readers: UPEK Protector Suite. The suite manages fingerprint reading hardware, offering users the convenience of substituting the typing of passwords with a single swipe of a finger. Ultimately, UPEK Protector Suite caches your passwords, offering near-instant login to Web sites and Windows itself.

Logging into Windows by swiping a finger instead of clicking and typing a (probably long and complex) password sounds tempting. And, it works. A simple swipe of your finger, and you’re in. Wonderful; but what about security?

Here’s what UPEK says on its Web site about the Windows login: “Protector Suite QL allows for secure access to Windows by swiping your finger instead of typing a password.” Notice the “secure” part? Well, we found out UPEK makes Windows login anything but secure. In fact, the UPEK’s implementation is nothing but a big, glowing security hole compromising (and effectively destroying) the entire security model of Windows accounts.

The Issue with UPEK Protector Suite

After analyzing a number of laptops equipped with UPEK fingerprint readers and running UPEK Protector Suite, we found that your Windows account passwords are stored in Windows registry almost in plain text, barely scrambled but not encrypted. Having physical access to a laptop running UPEK Protector Suite, we could extract passwords to all user accounts with fingerprint-enabled logon. Putting things into perspective: Windows itself never stores account passwords unless you enable “automatic login”, which is discouraged by Microsoft. If you use the Windows auto-logon feature, you’ll see a message saying “Using automatic logon can pose a security risk because anyone that has access to your computer will have access to your programs and personal files.” Simply said, no corporate user will ever use this “automatic logon” feature, which is often banned by corporate security policies.

However, fingerprint logon is rarely, if ever, barred. The common perception is that biometric logon is just as, or maybe more secure than password-based one. While biometric logon could be implemented that way, UPEK apparently failed. Instead of using a proper technique, they preferred the easy route: UPEK Protector Suite simply stores the original password to Windows account, making it possible for an intruder to obtain one.

Storing Windows account passwords in plain text is bad practice. It defeats the entire purpose of enhanced security. In fact, with current implementation, we cannot speak of any security as the entire PC becomes extremely easy to exploit to anyone aware of this vulnerability. This time around, UPEK made it completely wrong, introducing a paper link to a stainless steel chain.

If Your Windows Logon Password Is Compromised

What happens if someone gets to know your Windows account password? First, they obviously gain access to all your files and documents. Of course, if they had your laptop and its hard drive at their disposal, they could to that anyway – with one exception: they would not be able to read EFS-encrypted files (those that have the “Encrypt contents to secure data” checkbox ticked in the file properties – Attributes – Advanced). EFS encryption is extremely strong and impossible to break without knowing the original Windows account password.

And here comes UPEK Protector Suite. Conveniently storing your plain-text account password, the suite gives the intruder the ability to access your used-to-be-protected EFS encrypted files. Bummer.

The Scope of the Issue

The scope of this issue is extremely broad. It is not limited to a certain laptop model or manufacturer. All laptops equipped with UPEK fingerprint readers and running UPEK Protector Suite are susceptible. If you ever registered your fingerprints with UPEK Protector Suite for accelerated Windows logon and typed your account password there, you are at risk.

Course of Action

If you care about security of your Windows account, launch UPEK Protector Suite and disable the Windows logon feature. That should clear the stored password for your account. Note that you should clear all stored account passwords to protect all user accounts.

What We Did

ElcomSoft will not disclose full detail in the interests of public responsibility. We notified former UPEK about the issue (but sure enough they know about it). We also prepared a demo application, which displays partial login credentials of users who enabled fingerprint login. We won’t give it away to general public; only a limited number of hi-tech journalists will receive this software.