Your IT Consultant

High-Severity Vulnerability in Lenovo Fingerprint Manager

January 31, 2018

I have always been a huge ThinkPad fan. I don't recall when I got my first ThinkPad, but it must be close to twenty years now. I was a little skeptical when IBM sold the ThinkPad line to Lenovo, but I haven't been too disappointed with my recent purchases. I configure the fingerprint software on the ThinkPad to add biometric access. Apparently, there is a HUGE security problem with the Lenovo Fingerprint Manager Pro software on some laptop models. It is possible for someone with local non-administrative access to read Windows logon credentials and fingerprint data. The data is encrypted using a weak algorithm and access includes a hard-coded password. Yet again, another reason why backdoors are a bad thing. It's comforting to know that the bad guys must have physical access to your computer.

The laptops with a problem include:

• ThinkPad L560
• ThinkPad P40 Yoga, P50s
• ThinkPad T440, T440p, T440s, T450, T450s, T460, T540p, T550, T560
• ThinkPad W540, W541, W550s
• ThinkPad X1 Carbon (Type 20A7, 20A8), X1 Carbon (Type 20BS, 20BT)
• ThinkPad X240, X240s, X250, X260
• ThinkPad Yoga 14 (20FY), Yoga 460
• ThinkCentre M73, M73z, M78, M79, M83, M93, M93p, M93z
• ThinkStation E32, P300, P500, P700, P900

The good news is that Lenovo has a patch to fix the problem. The bonus is that my ThinkPad is not one of the impacted models.

E-mail: Phone: 703.359.0700
Digital Forensics/Information Security/Information Technology
https://www.linkedin.com/in/johnsimek
https://amazon.com/author/johnsimek
https://www.senseient.com