Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Privacy Security Windows

Lenovo's Fingerprint Scanner Can Be Bypassed via a Hardcoded Password (bleepingcomputer.com) 67

Lenovo has issued an update to address a vulnerability in its fingerprint scanner app that it ships with ThinkPad, ThinkCentre, and ThinkStation models running Windows 8.1 or older version of Windows. From a report: Fingerprint Manager Pro is an application developed by Lenovo that allows users to log into Windows machines and online websites by scanning one of their fingerprints using the fingerprint scanner embedded in selected Lenovo products. "A vulnerability has been identified in Lenovo Fingerprint Manager Pro," said Lenovo in a security advisory published last week. "Sensitive data stored by Lenovo Fingerprint Manager Pro, including users' Windows logon credentials and fingerprint data, is encrypted using a weak algorithm, contains a hard-coded password, and is accessible to all users with local non-administrative access to the system it is installed in," the company said.
This discussion has been archived. No new comments can be posted.

Lenovo's Fingerprint Scanner Can Be Bypassed via a Hardcoded Password

Comments Filter:
  • by froggyjojodaddy ( 5025059 ) on Monday January 29, 2018 @01:07PM (#56027853)
    A few years ago, Mythbusters had an episode where they showed how easy it was to fool fingerprint scanners into granting access.

    The place where I work prohibits this via IT Policy and disables the fingerprint scanner on all laptops
    • The two largest commercially available closed source operating systems have major security flaws that ship with the OS. Why would you care about a fingerprint scanner?
      • I think most organizations (hopefully I'm not generalizing too much here..) are somewhat protected against OS level flaw attacks through anti-virus software, firewalls etc and the effort & knowledge required to take advantage of those flaws.

        With fingerprint vulnerabilities, however, the problem is that almost anyone can fake a fingerprint with very little technical know-how. All you really need is a method of pulling the print and access to a good photocopier/scanner according to the Mythbusters tes
      • The most widely used microprocessor has compromise ("Intel management engine") baked right into the hardware. Why would you care about the insecurity of the OS?
        • Excellent point! But check out the guy worried about a fingerprint scanner!
          • Hopefully I'm not coming across as a defender of fingerprint scanners or the problems with OS level flaws!

            My point is simply that the effort required for my average co-worker to access my password-protected laptop is much lower to fool the biometric scanner than it is to exploit a flaw in the OS or the intel management engine.

            Again, not talking about technically savvy people here - just the opportunistic person who watched Mythbusters and has sufficient motivation to unlock my PC with little to no d
        • That may be the most widely used consumer CPU, but it is very very far from being the most widely used microprocessor. When you use the word "microprocessor," you're talking not only about CPUs but also every microcontroller and most ASICs. None of Intel's microprocessors are in the list of most used microprocessors. I doubt they even have an entry in the top 5!

          Strange oversight to make while trying be the hardware guy in the conversation...

          • The number of ARM processors in use very probably already exceeds the number of Intel processors in use.

            Quick experiment. How many PCs / Laptops do you have with "Intel Management Engine Inside!"?

            Now, how many of the following do you have: Android smartphone, tablet, RoKu, WiFi router, Smart TV, Digital camera, GPS navigator device, Printer that has a web based configuration UI, or anything else with a web based configuration UI, and other things like Nest thermostats and other various gadgets.
            • Looking around the room and counting is not really a good system, in my case I've got at least 50 AVR processors within 10' and I doubt my computer monitor has more than 5 or 6 ARM cores.

              And even the AMD motherboards often have media ICs with at least 2, probably 3 processor blocks made by Intel. Their most popular processors are probably ones that don't even have a consumer part number because they put the part number on the implemented application.

              So while ARM is presumed way ahead, getting a count on eit

    • Bio-Metrics often require a targeted attack, meaning you need to know who you are copying. So someone will need to say I want this persons account, has to go threw steps to get their fingerprint, replicate it, go to the physical device and use it. Most companies even ones that value security see this as a good trade-off. Especially compared to passwords, where while in theory are safer, in practice people will hide their password underneath the keyboard (or worse on some file share), or make it too simpl

      • by omnichad ( 1198475 ) on Monday January 29, 2018 @01:22PM (#56027955) Homepage

        On a laptop, there are plenty of places right on the laptop itself you could lift a print from.

        • by SeaFox ( 739806 )

          On a laptop, there are plenty of places right on the laptop itself you could lift a print from.

          That's why I use my big toe as my fingerprint authentication device.

      • You make a good point. Although, watching the Mythbusters bypass it - it didn't seem to require a LOT of resources. With the exception of the ability to pull the print in the first place...

        What about detectability? If someone attacks a network from the outside, there's likely multiple systems that can flag it and alert the admin or security team. If someone copies my fingerprint and unlocks my PC, I have no idea. In fact, it would not register on any alarm / monitoring system.

        Of course, if someon
        • >With the exception of the ability to pull the print in the first place...

          Did the previously authenticated person clean the scanner surface? No? Oh, I just got their print.

          That's why I like the 'swipe' version where you have to pull your finger across a narrow reader window instead of the imaging plate variant. At least then you have to work to get a good print off something else (which is actually pretty difficult when the person isn't deliberately trying to leave a print, contrary to what CSI would

          • The scanner on most laptops requires a swipe action, That prevents a single fingerprint to stick on the scanner. You have a better chance getting it from a door knob. Because other methods you normally will get get the tips of your fingers, vs the meat of you fingers the scanner takes.

          • I have a recent thinkpad with the fingerprint scanner (I got it to play with and see if the linux software is any good, not to actually use; answer is no it is super-flaky).

            It only scans a single line of pixels at a time. Not only do you have to swipe your finger across it, you have to do so at a precise speed. And the bezel around it isn't large enough to hold a print, so you have differing surface finishes all around that area.

            The best place to lift a print would probably be on the bottom surface. It tend

        • writing down passwords is not a good idea

          Your fingerprint is a password you "write" pieces of on everything you touch. And once compromised, you can't change it.

    • by Anonymous Coward

      And yet once in a while I can't even convince my Lenovo to grant me access with my real fingerprint* - thanks Lenovo!

        *I think that's a Windows 10 thing to be fair, seems to be if I try to fingerprint too soon after waking the machine up, it gets in a weird state and won't play.

    • The place where I work prohibits this via IT Policy and disables the fingerprint scanner on all laptops

      If you're not going to use the scanner, why the heck are you buying laptops with them? They're optional in most models of laptop I've come across, and most models that CAN feature the finger print reader often don't. Why buy something if you're just going to disable it?

      • If you let employees choose their own laptop features within a budget, they'll be a lot happier with the results and they'll complain less about problems. They will also choose features that you have to disable because they violate various company policies.

        If you insert a step where somebody reviews their choices you lose a lot of the morale boost from letting them choose, because they didn't get to choose, they only got to ask.

        If you have a bunch of java monkeys, just choose for them. If you have skilled p

      • I'm not part of the purchasing team but I'll venture a guess that when buying a couple of thousand laptops at a time, you have certain specifications. Say a laptop meets all of those specs and you get a great deal on the price but it comes with a fingerprint scanner. You don't really care for the scanner but since you have the ability to disable it at the corp level, it doesn't matter.

        So it's not quite a matter of purchasing a laptop with a scanner you'll never use. Rather, you're purchasing a laptop
    • You should dig a bit further into fingerprint reader technology before pulling all your conclusions from a Mythbusters episode... for good measure. Because they really aren't 100% safe today (nothing is), but not because of that Mythbusters episode.

      Let me tell you something about this, if you are interested: the often misused Mythbusters episode is not from "a few years ago"... it's almost 12 years old now, from an episode aired in 2006 (http://www.discovery.com/tv-shows/mythbusters/mythbusters-database/fin

  • Maybe not everything works as expected, but at least it isn't leaking my stuff out!

  • by Anonymous Coward

    When asked for comment, one Lenovo executive responded: “This is an excellent example of Lenovo’s continued commitment to improved security. At least this time we didn’t deliberately ship a rootkit.”

    • HAH! Nice one. I was just thinking about what a crap reputation Lenovo is building for itself. It's a shame really, IBM made a solid laptop before they decided to sell out to China.
  • Is the hard-coded password "hunter2"?

  • is encrypted using a weak algorithm, contains a hard-coded password, and is accessible to all users with local non-administrative access to the system it is installed in,"

    So weak encryption and a backdoor. Just the kind of thing the FBI and others want.

  • Modded down for sensationalist title.

    This is only their older fingerprint scanners.

    Current models do not have this exploit.
  • Their finger print scanners are crappy anyway, easy to fool. So a hard coded passw0rd! is more difficult to crack than cheating the fingerprint scanner.

"Facts are stupid things." -- President Ronald Reagan (a blooper from his speeach at the '88 GOP convention)

Working...