A severe vulnerability in Lenovo's Fingerprint Manager Pro software allowed hackers to bypass fingerprint authentication, log in to a system using a hardcoded password and decrypt users' Windows credentials.
Lenovo's Fingerprint Manager Pro software stores users’ Windows login credentials but the latter are encrypted using a weak algorithm, thereby allowing anyone with local non-administrative access to access such details.
In an alert posted on its support page, Lenovo yesterday alerted users of Lenovo devices running Windows 7, 8, and 8.1 operating systems about a critical flaw in the Fingerprint Manager Pro software that allowed anyone with access to a system log in using a hardcoded password without having to go through fingerprint authentication.
'A vulnerability has been identified in Lenovo Fingerprint Manager Pro. Sensitive data stored by Lenovo Fingerprint Manager Pro, including users’ Windows login credentials, is encrypted using a weak algorithm, contains a hard-coded password, and is accessible to all users with local non-administrative access to the system it is installed in,' the firm said.
The said software is an inbuilt feature in several Lenovo laptops and allows users to log into their PCs or authenticate to configured websites using fingerprint recognition. According to Lenovo, Fingerprint Manager Pro is installed on the following devices:
ThinkPad P40 Yoga, P50s
ThinkPad T440, T440p, T440s, T450, T450s, T460, T540p, T550, T560
ThinkPad W540, W541, W550s
ThinkPad X1 Carbon (Type 20A7, 20A8), X1 Carbon (Type 20BS, 20BT)
ThinkPad X240, X240s, X250, X260
ThinkPad Yoga 14 (20FY), Yoga 460
ThinkCentre M73, M73z, M78, M79, M83, M93, M93p, M93z
ThinkStation E32, P300, P500, P700, P900
While devices running Windows 10 operating system are not affected by the said flaw as such systems use Microsoft's built-in fingerprint reader support, all Lenovo devices running Windows 7, 8 and 8.1 operating systems need to be updated at the earliest to patch the said flaw. Lenovo has rolled out update version 8.01.87 for Fingerprint Manager Pro.
Commenting on the said flaw, Jon Fielding, Managing Director, EMEA at Apricorn, said: 'A security implementation is only as good as its weakest link. You can have the most robust front door with the strongest locks but, if you leave the key under the mat, they count for nothing.'
'This is reminiscent of the high profile USB flaws found in various manufacturers in 2010, where they were passing the unlock key in the clear and using the same code for all devices. If a piece of data is sensitive or critical to the operation of a system – encrypt it with strong and certified algorithms. Leaving it unencrypted is just asking for trouble!' he added.