IT Security

Share to Facebook Share to Twitter Share to Google Plus Share to LinkedIn

Lenovo have urged all users affected to update to the latest patch to resolve this issue. The issue lies in the Fingerprint Manager Pro application, which is installed by default for Lenovo devices with the fingerprint scanner built in.

It uses a weak encryption algorithm which uses a hardcoded password, this hardcoded password created by Lenovo can be accessed by all users with local non-administrative user, such as a guest user, and can be retrieved to unlock the passwords and finger print data stored on the device.

An attacker can then use the information gathered to login as any user that has used the Fingerprint Manager Pro application for logging in.

Who is affected?

Anyone with a Lenovo laptop of these models with the Lenovo fingerprint Manager Pro software installed on a version lower than 8.01.87:

• ThinkPad L560
• ThinkPad P40 Yoga, P50s
• ThinkPad T440, T440p, T440s, T450, T450s, T460, T540p, T550, T560
• ThinkPad W540, W541, W550s
• ThinkPad X1 Carbon (Type 20A7, 20A8), X1 Carbon (Type 20BS, 20BT)
• ThinkPad X240, X240s, X250, X260
• ThinkPad Yoga 14 (20FY), Yoga 460
• ThinkCentre M73, M73z, M78, M79, M83, M93, M93p, M93z
• ThinkStation E32, P300, P500, P700, P900

The operating systems affected by this are Windows 7, 8 and 8.1. Windows 10 users are not affected by this as windows 10 uses Microsoft native support.

Next Steps

If you are affected by this issue then Lenovo have released a patch here: https://support.lenovo.com/gb/en/product_security/len-15999

Further Reading

For more information, please refer to the following:
https://arstechnica.com/information-technology/2018/01/lenovo-fixes-hard-coded-password-and-weak-crypto-in-fingerprint-manager/
https://www.engadget.com/2018/01/29/lenovo-fingerprint-manager-passwords-vulnerable/