MORRISVILLE – If you thought your unique fingerprint meant tamper-proof security for your Lenovo device, you are wrong. So says Lenovo, which issued an alarm after researcher Jackson Thuraisamy at Surity Compass discovered the threat.
The world’s No. 2 PC seller has issued a warning that its Fingerprint Manager, which permits access to computers and other devices through a fingerprint scan, has a “high” threat for exploitation.
Customers are urged to update Fingerprint Manager Pro to version 8.01.87 or later, Lenovo said.
Lenovo acknowledges a “weak algorithm” for encryption and a “hard-coded password” that could be exploited.
“A vulnerability has been identified in Lenovo Fingerprint Manager Pro,” Lenovo declared.
“Sensitive data stored by Lenovo Fingerprint Manager Pro, including users’ Windows logon credentials and fingerprint data, is encrypted using a weak algorithm, contains a hard-coded password, and is accessible to all users with local non-administrative access to the system it is installed in.”
Noted tech news site The Register:
“The tool could be configured to store and authenticate website credentials via fingerprint.
Unfortunately, Lenovo says, it was also improperly protecting those stored credentials, leaving the readers far less secure than they should be. Now, the PC slinger is advising users still running the Fingerprint Manager Pro software to install the latest update (version 8.01.87) to address the issue.”
Affected devices include:
- ThinkPad L560
- ThinkPad P40 Yoga, P50s
- ThinkPad T440, T440p, T440s, T450, T450s, T460, T540p, T550, T560
- ThinkPad W540, W541, W550s
- ThinkPad X1 Carbon (Type 20A7, 20A8), X1 Carbon (Type 20BS, 20BT)
- ThinkPad X240, X240s, X250, X260
- ThinkPad Yoga 14 (20FY), Yoga 460
- ThinkCentre M73, M73z, M78, M79, M83, M93, M93p, M93z
- ThinkStation E32, P300, P500, P700, P900
Lenovo, which operates one of its two global headquarters in Morrisville, announced the fingerprint tool in 2016.
