Flaw in Lenovo’s fingerprint software let hackers bypass fingerprint authentication

Flaw in Lenovo’s fingerprint software let hackers bypass fingerprint authentication

Flaw in Lenovo's fingerprint software let hackers bypass fingerprint authentication

A severe vulnerability in Lenovo’s Fingerprint Manager Pro software allowed hackers to bypass fingerprint authentication, log in to a system using a hardcoded password and decrypt users’ Windows credentials.

Lenovo’s Fingerprint Manager Pro software stores users’ Windows login credentials but the latter are encrypted using a weak algorithm, thereby allowing anyone with local non-administrative access to access such details.

In an alert posted on its support page, Lenovo yesterday alerted users of Lenovo devices running Windows 7, 8, and 8.1 operating systems about a critical flaw in the Fingerprint Manager Pro software that allowed anyone with access to a system log in using a hardcoded password without having to go through fingerprint authentication.

‘A vulnerability has been identified in Lenovo Fingerprint Manager Pro. Sensitive data stored by Lenovo Fingerprint Manager Pro, including users’ Windows login credentials, is encrypted using a weak algorithm, contains a hard-coded password, and is accessible to all users with local non-administrative access to the system it is installed in,’ the firm said.

The said software is an inbuilt feature in several Lenovo laptops and allows users to log into their PCs or authenticate to configured websites using fingerprint recognition. According to Lenovo, Fingerprint Manager Pro is installed on the following devices:

ThinkPad L560
ThinkPad P40 Yoga, P50s
ThinkPad T440, T440p, T440s, T450, T450s, T460, T540p, T550, T560
ThinkPad W540, W541, W550s
ThinkPad X1 Carbon (Type 20A7, 20A8), X1 Carbon (Type 20BS, 20BT)
ThinkPad X240, X240s, X250, X260
ThinkPad Yoga 14 (20FY), Yoga 460
ThinkCentre M73, M73z, M78, M79, M83, M93, M93p, M93z
ThinkStation E32, P300, P500, P700, P900

While devices running Windows 10 operating system are not affected by the said flaw as such systems use Microsoft’s built-in fingerprint reader support, all Lenovo devices running Windows 7, 8 and 8.1 operating systems need to be updated at the earliest to patch the said flaw. Lenovo has rolled out update version 8.01.87 for Fingerprint Manager Pro.

Commenting on the said flaw, Jon Fielding, Managing Director, EMEA at Apricorn, said: ‘A security implementation is only as good as its weakest link. You can have the most robust front door with the strongest locks but, if you leave the key under the mat, they count for nothing.’

‘This is reminiscent of the high profile USB flaws found in various manufacturers in 2010, where they were passing the unlock key in the clear and using the same code for all devices. If a piece of data is sensitive or critical to the operation of a system – encrypt it with strong and certified algorithms. Leaving it unencrypted is just asking for trouble!’ he added.

Copyright Lyonsdown Limited 2021

Top Articles

Australian energy giant CS Energy suffers a ransomware attack

Australian energy company CS Energy suffered a ransomware attack on November 27 that targeted its corporate network.

Misconfiguration of a management user interface (UI) tool leads to exposure of mission-critical data

Kafdrop, a popular open-source Apache Kafka user and management interface had configuration flaws that provided criminals with access to event-streaming platform Apache Kafka used by more than 60 per cent…

ICO serves £500,000 fine to the Cabinet Office for New Year Honours data breach

The ICO has fined the Cabinet Office £500,000 for failing to prevent the leak of postal addresses of over 1,000 people who were among the 2020 New Year Honours recipients.

Related Articles

[s2Member-Login login_redirect=”https://www.teiss.co.uk” /]