Not the first time that fingerprint readers are deemed the wrong answer (to the "wrong" problem? -- one better not trust their own fingerprints to keep their data secure)<p>From ThinkWiki:
<a href="http://www.thinkwiki.org/wiki/Integrated_Fingerprint_Reader" rel="nofollow">http://www.thinkwiki.org/wiki/Integrated_Fingerprint_Reader</a><p>The UPEK device is supported by thinkfinger. Those devices and Authentec ones are supported by libfprint.<p>However: The fingerprint reader is an INSECURE device and gives a false sense of security! There has been quite a bit of research by a hacker named Starbug, a member of the Chaos Computer Club, Berlin, Germany. He outlined in two very good talks how to forge each and every available fingerprint sensor available at the cost of a few euros, using materials from your local hardware store, a digicam and a laser printer!<p>Remember, using fingerprints for authentication is much similar to having a password which is written on anything you touch.
> UPEK stores Windows account passwords in the registry<p>OK, let's say that's true. If you're also using Bitlocker ( <a href="http://en.wikipedia.org/wiki/BitLocker_Drive_Encryption" rel="nofollow">http://en.wikipedia.org/wiki/BitLocker_Drive_Encryption</a> ), which you should be if you're that concerned about somebody breaching your system ...<p>Then the only way somebody could access the registry is if they had malware installed on your computer or had an account on your system with administrator privileges. If either is true, you're already screwed anyway.<p>I would be more concerned with the fact that fingerprint readers are really easy to foil without any wacky software doing funny things.
I have a circa-2009 Lenovo with a fingerprint reader. On my current Windows install, I didn't bother to track down the fingerprint reader software as Windows Update seemed to take care of the driver for it. Is there any way to figure out what software Microsoft is currently distributing (UPEK Protector Suite vs AuthenTec TrueSuite)? The article seemed to imply the latter does not have this flaw, even if the hardware originally came from UPEK.
I don't have one of these compuetrs so I don't know how it works but by reading the article it seems to me like you need to supply <i>a</i> password to the software which is then stored in almost plain text. The assumption the article is making is that people will enter their Windows account password?<p>Correct me if I'm wrong.
I specifically opted out of the fingerprint reader when I bought my Lenovo T420 Thinkpad last year. I spent a little time researching them before the purchase and found so many problems with so many readers that I wouldn't feel safe using one, even if it didn't have any currently known vulnerabilities.<p>On the other hand, for most people, with a different convenience:security ratio than mine, they're probably still fine. I was specifically trying to build a secure laptop.
This seems to say that it is a vulnerability with the Accelerated Log-in feature. I used to run Windows on my thinkpad and I tried that out for a few minutes but it seemed like bad news. You swipe your finger at boot time to unlock the BIOS and it automatically logs into windows after windows loads. I knew it was doing something that was likely to be bad and turned it off.
Does anyone know if DigitalPersona readers, such as the one in my HP TouchSmart tm2t tablet, are similarly insecure? They seem to not need the Windows password to configure, but I could be mistaken.
the company is denying this - <a href="http://nakedsecurity.sophos.com/2012/09/06/fingerprint-scanner-security-warning/" rel="nofollow">http://nakedsecurity.sophos.com/2012/09/06/fingerprint-scann...</a> (link from late in the article) - but the vulnerability sounds like it could be relatively easy to check (for example, are the stored passwords the same length as the plaintext, or a typical AES block size?).<p>does anyone have this installed? if so, what do the data in the registry look like?