Lenovo just confirmed that their own Software Fingerprint Manager is insecure, according to their own Blog post, the Fingerprint Manager stores some biometric data on the device. It seems that all recent Windows versions are affected, Win 7 and 8.1 – Windows 10 is not affected. Windows 10 is not affected because it comes with another integrated solution called ‘Windows Hello’. Jackson Turaisamy originally discovered this hole.
Affected ThinkPads and Desktops
- ThinkPad L560
- ThinkPad P40 Yoga, P50s
- ThinkPad T440, T440p, T440s, T450, T450s, T460, T540p, T550, T560
- ThinkPad W540, W541, W550s
- ThinkPad X1 Carbon (Type 20A7, 20A8), X1 Carbon (Type 20BS, 20BT)
- ThinkPad X240, X240s, X250, X260
- ThinkPad Yoga 14 (20FY), Yoga 460
- ThinkCentre M73, M73z, M78, M79, M83, M93, M93p, M93z
- ThinkStation E32, P300, P500, P700, P900
Update your Software
Lenovo gives the advice to install the update v8.01.87 or newer which can be found here.
Lenovo should a little bit worry about their reputation because this isn’t the first time that they have a security problem, of course, it’s not as big as the huge Superfish leak but it’d maybe time to fire someone and replace him with a more competent person which takes security more serious. Such big ‘fishes’ are not every day on your hook.
It always surprises me, not that there are holes moreover that this only gets some attention if it affects multiple systems and devices. I wonder how the software gets tested these days, seems no one cares more about the quality because an update is always possible, but that this also costs time, bandwidth and Co. is something which people seems to ignore very quickly.
- Hard-coded Password Lets Attackers Bypass Lenovo’s Fingerprint Scanner (thehackernews.com)