Lenovo's Fingerprint Scanner Can Be Bypassed via a Hardcoded Password (bleepingcomputer.com) 67
Lenovo has issued an update to address a vulnerability in its fingerprint scanner app that it ships with ThinkPad, ThinkCentre, and ThinkStation models running Windows 8.1 or older version of Windows. From a report: Fingerprint Manager Pro is an application developed by Lenovo that allows users to log into Windows machines and online websites by scanning one of their fingerprints using the fingerprint scanner embedded in selected Lenovo products. "A vulnerability has been identified in Lenovo Fingerprint Manager Pro," said Lenovo in a security advisory published last week. "Sensitive data stored by Lenovo Fingerprint Manager Pro, including users' Windows logon credentials and fingerprint data, is encrypted using a weak algorithm, contains a hard-coded password, and is accessible to all users with local non-administrative access to the system it is installed in," the company said.
Re: (Score:2)
And that's pretty darn high, since Windows 98 is way higher than Windows 10.
Re: (Score:2)
Therefor it follows that Win 10 < Win 95 < Win 98.
I'm surprised most companies permit this (Score:4, Informative)
The place where I work prohibits this via IT Policy and disables the fingerprint scanner on all laptops
Re: (Score:3)
Re: (Score:1)
With fingerprint vulnerabilities, however, the problem is that almost anyone can fake a fingerprint with very little technical know-how. All you really need is a method of pulling the print and access to a good photocopier/scanner according to the Mythbusters tes
Re: (Score:3)
Re: (Score:2)
Re: (Score:2)
Re: (Score:1)
My point is simply that the effort required for my average co-worker to access my password-protected laptop is much lower to fool the biometric scanner than it is to exploit a flaw in the OS or the intel management engine.
Again, not talking about technically savvy people here - just the opportunistic person who watched Mythbusters and has sufficient motivation to unlock my PC with little to no d
Re: (Score:2)
That may be the most widely used consumer CPU, but it is very very far from being the most widely used microprocessor. When you use the word "microprocessor," you're talking not only about CPUs but also every microcontroller and most ASICs. None of Intel's microprocessors are in the list of most used microprocessors. I doubt they even have an entry in the top 5!
Strange oversight to make while trying be the hardware guy in the conversation...
Re: (Score:2)
Quick experiment. How many PCs / Laptops do you have with "Intel Management Engine Inside!"?
Now, how many of the following do you have: Android smartphone, tablet, RoKu, WiFi router, Smart TV, Digital camera, GPS navigator device, Printer that has a web based configuration UI, or anything else with a web based configuration UI, and other things like Nest thermostats and other various gadgets.
Re: (Score:2)
Looking around the room and counting is not really a good system, in my case I've got at least 50 AVR processors within 10' and I doubt my computer monitor has more than 5 or 6 ARM cores.
And even the AMD motherboards often have media ICs with at least 2, probably 3 processor blocks made by Intel. Their most popular processors are probably ones that don't even have a consumer part number because they put the part number on the implemented application.
So while ARM is presumed way ahead, getting a count on eit
Re: (Score:2)
Bio-Metrics often require a targeted attack, meaning you need to know who you are copying. So someone will need to say I want this persons account, has to go threw steps to get their fingerprint, replicate it, go to the physical device and use it. Most companies even ones that value security see this as a good trade-off. Especially compared to passwords, where while in theory are safer, in practice people will hide their password underneath the keyboard (or worse on some file share), or make it too simpl
Re:I'm surprised most companies permit this (Score:4, Funny)
On a laptop, there are plenty of places right on the laptop itself you could lift a print from.
Re: (Score:2)
On a laptop, there are plenty of places right on the laptop itself you could lift a print from.
That's why I use my big toe as my fingerprint authentication device.
Re: (Score:1)
What about detectability? If someone attacks a network from the outside, there's likely multiple systems that can flag it and alert the admin or security team. If someone copies my fingerprint and unlocks my PC, I have no idea. In fact, it would not register on any alarm / monitoring system.
Of course, if someon
Re: (Score:2)
>With the exception of the ability to pull the print in the first place...
Did the previously authenticated person clean the scanner surface? No? Oh, I just got their print.
That's why I like the 'swipe' version where you have to pull your finger across a narrow reader window instead of the imaging plate variant. At least then you have to work to get a good print off something else (which is actually pretty difficult when the person isn't deliberately trying to leave a print, contrary to what CSI would
Re: (Score:2)
The scanner on most laptops requires a swipe action, That prevents a single fingerprint to stick on the scanner. You have a better chance getting it from a door knob. Because other methods you normally will get get the tips of your fingers, vs the meat of you fingers the scanner takes.
Re: (Score:2)
I have a recent thinkpad with the fingerprint scanner (I got it to play with and see if the linux software is any good, not to actually use; answer is no it is super-flaky).
It only scans a single line of pixels at a time. Not only do you have to swipe your finger across it, you have to do so at a precise speed. And the bezel around it isn't large enough to hold a print, so you have differing surface finishes all around that area.
The best place to lift a print would probably be on the bottom surface. It tend
Re: (Score:2)
writing down passwords is not a good idea
Your fingerprint is a password you "write" pieces of on everything you touch. And once compromised, you can't change it.
Re: (Score:1)
And yet once in a while I can't even convince my Lenovo to grant me access with my real fingerprint* - thanks Lenovo!
*I think that's a Windows 10 thing to be fair, seems to be if I try to fingerprint too soon after waking the machine up, it gets in a weird state and won't play.
Re: (Score:3)
it might be too soon to try your finger.. maybe put on some smooth jazz and give it a glass of wine?
Re: (Score:2)
The place where I work prohibits this via IT Policy and disables the fingerprint scanner on all laptops
If you're not going to use the scanner, why the heck are you buying laptops with them? They're optional in most models of laptop I've come across, and most models that CAN feature the finger print reader often don't. Why buy something if you're just going to disable it?
Re: (Score:2)
If you let employees choose their own laptop features within a budget, they'll be a lot happier with the results and they'll complain less about problems. They will also choose features that you have to disable because they violate various company policies.
If you insert a step where somebody reviews their choices you lose a lot of the morale boost from letting them choose, because they didn't get to choose, they only got to ask.
If you have a bunch of java monkeys, just choose for them. If you have skilled p
Re: (Score:1)
So it's not quite a matter of purchasing a laptop with a scanner you'll never use. Rather, you're purchasing a laptop
Re: (Score:2)
You should dig a bit further into fingerprint reader technology before pulling all your conclusions from a Mythbusters episode... for good measure. Because they really aren't 100% safe today (nothing is), but not because of that Mythbusters episode.
Let me tell you something about this, if you are interested: the often misused Mythbusters episode is not from "a few years ago"... it's almost 12 years old now, from an episode aired in 2006 (http://www.discovery.com/tv-shows/mythbusters/mythbusters-database/fin
Re: (Score:2)
And it's password is the same I have on my luggage!
The master key is the same as your luggage, too.
D'oh! (Score:2)
https://www.youtube.com/watch?... [youtube.com]
This is why I install Linux on every new PC (Score:2)
Maybe not everything works as expected, but at least it isn't leaking my stuff out!
Re: (Score:3)
I've been using linux since the 90s, and I always tell people, don't use linux unless you know what you're doing, or don't know what an OS is.
Please don't use linux. There is nothing warm and fuzzy about it. The simple fact is that if you're not either a computer professional/enthusiast, or a very casual computer user, then you have no reason to use it. It will only be harder to use, and won't run most of your software.
If you're casual enough that you would never try to install software without help, you ju
Re: (Score:2)
Bollocks.
Go and be an insufferable elitist boor elsewhere.
Re: (Score:2)
It's not elitist, it's pretty much spot on.
Re: (Score:2)
You might want to get an umbrella, the forecast calls for rain and I'm quite sure you'll drown with your nose held that high.
The thing you didn't comprehend about elitism is that people doing their own thing for their own reasons is actually good. Elitism is where they're keeping others out, not where they simply think it is good if people with low interest levels participate in the activity.
Its good you decided to spend a few seconds of your life to think about elitism for the first time. I commend your ef
Lenovo's security continues to improve. (Score:1)
When asked for comment, one Lenovo executive responded: “This is an excellent example of Lenovo’s continued commitment to improved security. At least this time we didn’t deliberately ship a rootkit.”
Re: (Score:2)
Only one thing could make this story better (Score:2)
Is the hard-coded password "hunter2"?
Backdoor eh? (Score:2)
is encrypted using a weak algorithm, contains a hard-coded password, and is accessible to all users with local non-administrative access to the system it is installed in,"
So weak encryption and a backdoor. Just the kind of thing the FBI and others want.
hyperbolic (Score:2)
This is only their older fingerprint scanners.
Current models do not have this exploit.
no big loss. (Score:2)