Many would agree that the peaks of the recent computer news landscape have been terraformed by security flaws and their aftershocks. Adding to this expansive landscape of security vulnerability news, Lenovo PCs with fingerprint readers have been harbouring a gaping vulnerability for quite some time.
Ironically the vulnerability exists within Lenovo’s Fingerprint Manager Pro – an accessory program which facilitates ‘fast, secure, biometric security’ via the built-in fingerprint sensors within a range of Lenovo Think-PCs. In Lenovo’s own words the problem is as follows:
“A vulnerability has been identified in Lenovo Fingerprint Manager Pro. Sensitive data stored by Lenovo Fingerprint Manager Pro, including users’ Windows logon credentials and fingerprint data, is encrypted using a weak algorithm, contains a hard-coded password, and is accessible to all users with local non-administrative access to the system it is installed in.”
In Windows 7, 8 and 8.1 PC systems, Lenovo fingerprint reader equipped machine owners can use their fingerprint to log-in to the PC, and to access pre-configured websites without having to remember/type passwords, thanks to the bundled accessory software. Windows 10 users won’t be affected by the vulnerability described above, as they use Microsoft’s built-in fingerprint reader support.
Thankfully the Lenovo vulnerability is rather easy to fix. All you have to do is update Fingerprint Manager Pro to version 8.01.87 or later.
Lenovo has provided a list of systems which may come with the affected Lenovo Fingerprint Manager software:
- ThinkPad L560
- ThinkPad P40 Yoga, P50s
- ThinkPad T440, T440p, T440s, T450, T450s, T460, T540p, T550, T560
- ThinkPad W540, W541, W550s
- ThinkPad X1 Carbon (Type 20A7, 20A8), X1 Carbon (Type 20BS, 20BT)
- ThinkPad X240, X240s, X250, X260
- ThinkPad Yoga 14 (20FY), Yoga 460
- ThinkCentre M73, M73z, M78, M79, M83, M93, M93p, M93z
- ThinkStation E32, P300, P500, P700, P900