Apple security software reveals Windows passwords

@ 2012/10/15
Security software created by Apple is ideal for taking apart Windows machines according to a report from insecurity experts Elcomsoft.

The software can turn over Windows computers sold by Dell, Acer, and at least 14 other manufacturers and exploits Apple's fingerprint-reading software known as UPEK Protector Suite.

In July, Apple paid $356 million to buy Authentek which had bought acquired the technology from privately held UPEK in 2010.

Although Jobs' Mob is not responsible for creating the flawed software, it is playing its usual security games which place users at risk. Apple has yet to acknowledge the flaw or warn end users how to work around it.

UPEK software is used for logging into Windows computers using an owner's unique fingerprint, instead of a user-memorized password.

But Elcomsoft said the software makes users less secure than they otherwise would be because it stores Windows account passwords to the registry and encrypts them with a key that is easy for hackers to retrieve.

It takes seconds for people with the key to extract a password, company officials.

According to Ars Technica, Brandon Wilson, another security consultant, has confirmed the vulnerability and released open-source software that makes it easy to exploit it.

Easily decrypted passwords are stored in one of several registry keys located in HKEY_LOCAL_MACHINE\Software\Virtual Token\Passport\, depending on the application version. The duo said they released the software and additional information so that penetration testers, who are paid to penetrate the defences of their customers, can exploit the weakness.

When Protector Suite isn't activated, Windows doesn't store account passwords in the registry unless users have specifically configured an account to automatically log in.

According to Wilson, every version of the software labeled "UPEK Protector Suite" that he looked at has the vulnerability.

Dell and Acer, other PC makers that preinstall the software include Amoi, Asus, Clevo, Compal, Dell, Gateway, IBM/Lenovo, Itronix, MPC, MSI, NEC, Sager, Samsung, Sony, and Toshiba are vulnerable to attack from the Apple software.

UPEK Protector Suite is also rebranded by Lenovo as ThinkVantage Fingerprint Software, Wilson said.

Authentic issued a patch for UPEK Protector Suite in mid September which Wilson called a "band-aid" because under the new version, passwords are protected using encryption that's trivial to brute force.

Apple and Authentec both claim that the software is a safe alternative to account logins, and on that basis the product should be recalled.

No comments available.