Lenovo has identified a serious security flaw in some of its devices that can help hackers bypass the fingerprint scanner embedded in those products.
First identified by Jackson Thuraisamy from Security Compass, the vulnerability was discovered in the Fingerprint Manager Pro app the company shipped with ThinkPad, ThinkCentre and ThinkStation machines. The application, developed by Lenovo itself, allows users to log into their Windows computers and websites by using fingerprint recognition.
"Sensitive data stored by Lenovo Fingerprint Manager Pro, including users' Windows logon credentials and fingerprint data, is encrypted using a weak algorithm," Lenovo said in a security advisory published last week.
The company also disclosed that the app also contains a hardcoded password, which "is accessible to all users with local non-administrative access to the system it is installed in."
The vulnerability, therefore, could allow a hacker to exploit the hardcoded password to potentially break the fingerprint authentication, and decrypt existing Windows login credentials and fingerprint data. Lenovo has rated the vulnerability's severity as high.
According to the company, devices running Lenovo Fingerprint Manager Pro on Windows 7, 8 and 8.1 versions are affected by the flaw. Windows 10 systems, which use Microsoft's built-in fingerprint reader, are not affected.
Lenovo recently released an updated version (8.01.87) of Fingerprint Manager Pro that fixes the issue. The company, meanwhile, has advised users to download and install version 8.01.87 (or later) of the fingerprint scanner.
Here's the full list of affected devices:
- ThinkPad L560
- ThinkPad P40 Yoga, P50s
- ThinkPad T440, T440p, T440s, T450, T450s, T460, T540p, T550, T560
- ThinkPad W540, W541, W550s
- ThinkPad X1 Carbon (Type 20A7, 20A8), X1 Carbon (Type 20BS, 20BT)
- ThinkPad X240, X240s, X250, X260
- ThinkPad Yoga 14 (20FY), Yoga 460
- ThinkCentre M73, M73z, M78, M79, M83, M93, M93p, M93z
- ThinkStation E32, P300, P500, P700, P900