Lenovo admits fingerprint authentication app bugs that made it easy to hack

Fingerprint authentication is already a very mature security solution but still affected by hardware and software security risks. Lenovo recently acknowledged that Fingerprint Manager Pro (version 8.01.86), a built-in authentication software, has security holes that allow attackers to access any system equipped with the application.

According to Lenovo‘s disclosure details:

A vulnerability has been identified in Lenovo Fingerprint Manager Pro. Sensitive data stored by Lenovo Fingerprint Manager Pro, including users’ Windows logon credentials and fingerprint data, is encrypted using a weak algorithm, contains a hard-coded password, and is accessible to all users with local non-administrative access to the system it is installed in.

Lenovo Fingerprint Manager Pro is a utility for Windows 7, 8 and 8.1 that allows users to log into their PCs or authenticate to configured websites using fingerprint recognition.

CVE-ID: CVE-2017-3762

The vulnerability was discovered by Jackson Thuraisamy from Security Compass. According to information posted on the Lenovo website, a complete list of devices equipped with Lenovo Fingerprint Manager Pro is included

• ThinkPad L560
• ThinkPad P40 Yoga, P50s
• ThinkPad T440, T440p, T440s, T450, T450s, T460, T540p, T550, T560
• ThinkPad W540, W541, W550s
• ThinkPad X1 Carbon (Type 20A7, 20A8), X1 Carbon (Type 20BS, 20BT)
• ThinkPad X240, X240s, X250, X260
• ThinkPad Yoga 14 (20FY), Yoga 460
• ThinkCentre M73, M73z, M78, M79, M83, M93, M93p, M93z
• ThinkStation E32, P300, P500, P700, P900

Affected device users recommend installing 8.01.87 or later versions as soon as possible.