ElcomSoft finds major flaw in UPEK biometrics software

September 5, 2012 - 

ElcomSoft Co. Ltd, a Russian-based provider of corporate security and IT audit products, issued a warning regarding a major flaw in the UPEK Protector Suite software.

The security firm said in a statement: “All laptops equipped with UPEK fingerprint readers and running UPEK Protector Suite are susceptible. If you ever registered your fingerprints with UPEK Protector Suite for accelerated Windows logon and typed your account password there, you are at risk.”

While biometric logon is supposed to offer more security compared to passwords, UPEK Protector Suite failed by simply storing original Windows account passwords, in plain text in the system registry, thereby compromising security.

“The common perception is that biometric logon is just as, or maybe more secure than a password-based one,” stated ElcomSoft Marketing Director Olga Koksharova. “While biometric logon could be implemented in a safe way, UPEK apparently failed. Instead of using a proper technique, they preferred the easy route: UPEK Protector Suite simply stores the original password to a Windows account in an unencrypted fashion, making it vulnerable to intruders.”

In order to secure your account, ElcomSoft recommends that UPEK users launch the Protector Suite and disable the Windows logon feature. That should clear stored password for an individual’s Windows account. The company reminds users that they should clear all stored account passwords in order to protect all user accounts.

The UPEK Protector Suite has been included on devices manufactured by Acer, Asus, Dell, Gateway, Lenovo, MSI, NEC, Samsung, Sony, and Toshiba.

ElcomSoft has informed AuthenTec, who owns the UPEK brand, about the vulnerability. Apple has targeted AuthenTec for acquisition.

With files from T’ash Spencer

Leave a Comment


About Raze Machan

Raze Machan writes full time for BiometricUpdate.com and graduated with a of Bachelor of Science in Information Technology from Central Philippine University. She has been a tech industry writer since 2003. Follow her @Razemachan.