Vulnerability that exposes password to Windows's fingerprint authentication software acquired by Apple confirms that it affects a very large number of manufacturer's PCs

BySmart - ed

Develop fingerprint sensors / chips etc. that Apple will use for security, ID check etc. on July 26, 2012AuthentecThe company acquired $ 356 million (about 28 billion yen), but an important security vulnerability was found in the fingerprint authentication software. Vulnerabilities have been detected from any version of the software and are believed to affect computers from more than 14 manufacturers including Dell and Acer.

Confirmed: Apple-owned fingerprint software exposes Windows passwords | Ars Technica

This vulnerability isUPEK Protector SuiteWhat was found in. This software is a security software that requests fingerprint authentication when logging in to Windows, but it is a security software companyElcomSoftAccording to the company, the login by fingerprint authentication is storing the password in the registry and encrypting it with the key. However, since a hacker can easily steal this key, the password is stolen in just a few seconds. This vulnerability was confirmed by a security consultant Brandon Wilson et al. But at the moment Apple still has not admitted the facts and it seems the user does not tell you what the vulnerability is like.

ByExposedplanet

Many PCs equipped with this fingerprint authentication software are used by companies, and if the authentication information is stolen, there is a danger that attacks will spread to other systems, so Wilson, In order to confirm the vulnerability of PC of PC, we plan to release open source software used in penetration test along with additional information.

ByDefense Images

When UPEK Protector Suite is not working, Windows will not store the password of the account in the registry unless the user configures automatic login, so it is recommended not to set automatic login setting . According to the penetration test, even if you disable the Windows login function in Protector Suite, the password will not be deleted from the registry key, but deleting the user's passport from the application will also delete the password . When uninstalling the application, there will be an option to delete passport data, so deleting it will also delete the password, Wilson said.

ByJohn Wennerberg

According to Wilson, vulnerability is also confirmed in PCs of manufacturers such as Amoi, ASUS, CLEVO, Compal, Gateway, IBM / Lenovo, Itronix, MPC, MSI, NEC, Sager, SAMSUNG, SONY, Toshiba in addition to Dell and Acer It was done. By the way, UPEK fingerprint authentication software for Lenovo PCThinkVantageIt is installed with the name of.

In addition, I did not comment on both Apple and Authentec in the mail inquired about this vulnerability.