May 17, 2013 - 05:15 PM EDT — AAPL: 433.26 (-1.318, -0.3%) | NASDAQ: 3498.965 (+33.722, +0.97%)

Confirmed: Apple-owned fingerprint software exposes Windows passwords

Wednesday, October 10, 2012 · 11:01 am · 25 Comments

“Security consultants have independently confirmed a serious security weakness that makes it trivial for hackers with physical control of many computers sold by Dell, Acer, and at least 14 other manufacturers to quickly recover Windows account passwords,” Dan Goodin reports for Ars Technica.

“The vulnerability is contained in multiple versions of fingerprint-reading software known as UPEK Protector Suite. In July, Apple paid $356 million to buy Authentec, the Melbourne, Florida-based company that acquired the technology from privately held UPEK in 2010,” Goodin reports. “The weakness came to light no later than September, but Apple has yet to acknowledge it or warn end users how to work around it. No one has accused Apple of being responsible for the underlying design of fingerprint-reading software.”

Goodin reports, “The UPEK software has long been marketed as a secure means for logging into Windows computers using an owner’s unique fingerprint, instead of a user-memorized password. Last month, Elcomsoft, a Russia-based developer of password-cracking software, warned that the software makes users less secure than they otherwise would be because it stores Windows account passwords to the registry and encrypts them with a key that is easy for hackers to retrieve. It takes only seconds for people with the key to extract a password, company officials said.”

Read more in the full article here.

MacDailyNews Take: Windows Registry.

Categories: News

Tags: Elcomsoft, hacking, privacy, security, UPEK Protector Suite, Windows, Windows Registry

Thank You for supporting MacDailyNews!

 Apple 13.3" MacBook Air dual-core Intel Core i7 2.0GHz, 8GB RAM, 512GB Flash Storage, Intel HD Graphics 4000, Mac OS X Lion (Z0ND-20GHZ8GB512) only $2,159.99
 Secret Sale Exclusive for MacMall Valued Customers Only
 Apple 15.4" MacBook Pro (with Retina display) quad-core Intel Core i7 2.3GHz/16GB RAM/256GB FS/IntelHD Graphics4000/OS X Lion (Z0MK-15-2.3-16-256RT) only $2,333.99
 Apple Blowouts: Up to $649 OFF on Last Gen Macs. Prices start at $1,999.99 w/ Free Upgrade to OS X Mountain Lion & Free FedEx Overnight ends 02/08 6:15PM PST.
 Apple 13.3" MacBook Pro dual-core Intel Core i7 2.9GHz, 8GB RAM, 750GB 5400-rpm hard drive, Intel HD Graphics 4000, Ships with Mountain Lion (MD102LL/A) only $1,419.97

Comment Feed

25 Comments

GM

Wednesday, October 10, 2012 - 11:05 am · Reply

Damn! More bad news.
- peterblood71
  
  Wednesday, October 10, 2012 - 11:07 am · Reply
  
  For Windows users, heh.
- gcaptain5
  
  Wednesday, October 10, 2012 - 11:16 am · Reply
  
  Sticking everything in the registry is NOT a great idea?
  Someone should let the Windows developers know!
  - qka
    
    Thursday, October 11, 2012 - 12:43 pm · Reply
    
    I remember when the registry first came out for Win95. Someone was trying to explain to me how wonderful it was and all I could think was WTF – this sound like a whole heap of trouble.
    
    The intervening years have continued to support my initial reaction.
- Paul
  
  Wednesday, October 10, 2012 - 11:18 am · Reply
  
  Only if you have a registry in your OS…..aka windoze.
- Spark
  
  Wednesday, October 10, 2012 - 11:21 am · Reply
  
  It’s an opportunity. “Apple acquires imperfect hardware/software company. Improves product bringing new level of safety and convenience to biometric security.”
  - praus
    
    Wednesday, October 10, 2012 - 12:38 pm · Reply
    
    I see an even simpler solution, discontinue the Windows version of the software.
  - kingmel
    
    Wednesday, October 10, 2012 - 2:09 pm · Reply
    
    Just wait for the lawsuit train to pull out from the station – a class action suit covering tens of millions of Windows users seeking money from Apple.
    
    There are risks to acquiring a company. Unforeseen legal liabilities are one of them.
- SuperKmart
  
  Wednesday, October 10, 2012 - 6:34 pm · Reply
  
  This would be even better news if Apple decides to END of Life the windows based products and cancels all OEM agreements with respect to this hardware. Then Apple assimilates the technology into an IOS environment as a secure & fixed product leaving WinBlows users with a username & password. Do to them what Windows has always done to Mac users. Leave them hanging
  Windows and security is an oxymoron and Balmer is just a moron. May he preside at the helm of the Titanic until it rests deep in the abyss. Sounds like a registry problem to me not a software design problem. If important stuff is supposed to go into the registry and its supposed to be secure then why is the developer at fault?
  Should the developer have to make their own encryption method and stored it where? Thats what the registry is for. Never worked worth a damn anyway. Always hated dealing with registry errors and corruption. Shouldn’t Dell and Acer have tested this stuff? They marketed it as the ultimate in security.
  - dafoink
    
    Wednesday, October 10, 2012 - 6:37 pm · Reply
    
    man, such hostility. cant you get your point across without being so mean and resorting to name calling? Take a breath for a moment and chill.
    - Necron99
      
      Thursday, October 11, 2012 - 12:48 pm · Reply
      
      You’re new here, aren’t you?
Snoop Dogg

Wednesday, October 10, 2012 - 11:18 am · Reply

why is Ballmers microsoft using apple owned password protection, can he not get his people to develop the finger print technology?
- dafoink
  
  Wednesday, October 10, 2012 - 11:56 am · Reply
  
  this is a third party independant software vendor (ISV) that has developed a finger print solution that works with Windows. It has nothing to do with Balmer choosing an apple product. This product was also used by windows before Apple bought it.
Agent Provocateur

Wednesday, October 10, 2012 - 11:22 am · Reply

The UPEK HW/SW was also offered for the Macintosh and was not tested and is not known to be affected.

I contacted @adamcaudill, one of the security researchers involved, via Twitter this morning and he did not test the Mac SW. Have not gotten a reply from @elcomsoft yet (it’s after hours in Russia).

As the Windows problem is related to the Windows Registry, it is likely that it is Windows only problem.
- Derek Currie
  
  Wednesday, October 10, 2012 - 2:36 pm · Reply
  
  I’d still like to see the Mac implementation tested. If they managed to botch the Windows implementation, I expect they’re capable of having botched the Mac version as well.
Saldin

Wednesday, October 10, 2012 - 11:25 am · Reply

Vulnerabilities in UPEK software have been known for some time and nobody cares.
Now that Apple bought the company that had bought UPEK, journalists just print “APPLE OWNED SOFTWARE EXPOSES PASSWORDS” and bingo! Instant scandal.

Ludicrous.
TheConfuzed1

Wednesday, October 10, 2012 - 11:39 am · Reply

” “The UPEK software has long been marketed as a secure means for logging into Windows computers using an owner’s unique fingerprint…”

I found the problem–They mistakenly thought there was a secure way to log into Windows!
Hint

Wednesday, October 10, 2012 - 11:48 am · Reply

Yawn……….……
- Mr. Peabody
  
  Wednesday, October 10, 2012 - 1:04 pm · Reply
  
  +1
NHL

Wednesday, October 10, 2012 - 12:05 pm · Reply

“The weakness came to light no later than September, but Apple has yet to acknowledge it or warn end users how to work around it. No one has accused Apple of being responsible for the underlying design of fingerprint-reading software.”

So Goodin is intimating that this is Apple’s fault or problem?
- dafoink
  
  Wednesday, October 10, 2012 - 12:34 pm · Reply
  
  well, if Apple owns the company, then yes, they have ultimate responsibility of what happens. and if there is a security flaw that can cause damages to the owner of the software, then this is serious and something should be done.
  
  Just like if Microsoft buys a company and a security flaw shows itself. I am sure everyone would be all over them criticizing. And everyone would demand that Microsoft responds and acts. The same needs to be done by Apple.
  - Zeph
    
    Wednesday, October 10, 2012 - 3:59 pm · Reply
    
    But does Apple even actually own the company yet? They’ve indicated their desire to buy and it has been approved by the board. Was it ever approved by the shareholders after they freaked out about it months ago? And even if it has been, until the ink is dry, there is no purchase. We don’t know if Apple has any managerial control over the company at all at this moment.
Undertrader

Wednesday, October 10, 2012 - 12:35 pm · Reply

Hey look, more click bait FUD. MDN is really going downhill.
Derek Currie

Wednesday, October 10, 2012 - 2:33 pm · Reply

Elcomsoft, a Russia-based developer of password-cracking software, warned that the software makes users less secure than they otherwise

Golly, and only last week I was chatting about what worthless crap fingerprint scanning tech is on a computer. And here we have a whole new way of FAIL. Astounding.

I suspect Apple are smart enough to close this ridiculous security hole. But I also suspect they are wondering why they bought this crap tech in the first place.

There is no substitute for a hardcore password. Fingerprint scanning and any other shiny-rainbows-unicorns-and-daisies add on security methods are only good as an ADDED authentication factors. They are ‘replacements’ for nothing.
TRRosen

Wednesday, October 10, 2012 - 3:32 pm · Reply

Always read ‘requires physical access’ as ‘ if your computer is already compromised’. Seriously it’s sloppy programing but changing a windows password it’s trivial if you have access. Rule one don’t let bad guys use your computer. Rule two encrypt your data.