Lenovo's craptastic fingerprint scanner has a hardcoded password
ThinkPad owners need to update their software – unless they're using Windows 10
Lenovo wants ThinkPad owners to update their machines after its Fingerprint Manager Pro software was found to contain serious security vulnerabilities.
Among the glaring flaws cited: a hardcoded password. In the fingerprint scanner. To log into the computer.
"Sensitive data stored by Lenovo Fingerprint Manager Pro, including users’ Windows logon credentials and fingerprint data, is encrypted using a weak algorithm, contains a hard-coded password, and is accessible to all users with local non-administrative access to the system it is installed in," Lenovo said in fessing up on Thursday.
Discovery of the flaws was credited to Jackson Thuraisamy at Security Compass.
In total, Lenovo says that more than two dozen ThinkPad models are vulnerable, along with five ThinkStation Models and eight ThinkCentre models.
Lenovo says Fingerprint Manager Pro was used with the Thinkpad, ThinkCentre, and ThinkStation machines running Windows 7, Windows 8, and Windows 8.1. The tool could be configured to store and authenticate website credentials via fingerprint.
Unfortunately, Lenovo says, it was also improperly protecting those stored credentials, leaving the readers far less secure than they should be. Now, the PC slinger is advising users still running the Fingerprint Manager Pro software to install the latest update (version 8.01.87) to address the issue.
Because the Fingerprint Manager Pro software does not need to run on Windows 10 (Microsoft added native fingerprint reader support with that build), newer and updated machines are not considered vulnerable.
Earlier this month, Lenovo moved to put to bed another headache from its past when it agreed to a settlement deal with the FTC that will end the case over its use of intrusive adware in its pre-bundled software on PCs back in 2014.®
- Black Hat
- Common Vulnerability Scoring System
- Cybersecurity and Infrastructure Security Agency
- Cybersecurity Information Sharing Act
- Data Breach
- Data Protection
- Data Theft
- Digital certificate
- Identity Theft
- Kenna Security
- Palo Alto Networks
- Trusted Platform Module
- Zero trust