Slashdot Mirror

← Back to Stories (view on slashdot.org)

Lenovo's Fingerprint Scanner Can Be Bypassed via a Hardcoded Password (bleepingcomputer.com)

Posted by msmash on from the security-woes dept.

Lenovo has issued an update to address a vulnerability in its fingerprint scanner app that it ships with ThinkPad, ThinkCentre, and ThinkStation models running Windows 8.1 or older version of Windows. From a report: Fingerprint Manager Pro is an application developed by Lenovo that allows users to log into Windows machines and online websites by scanning one of their fingerprints using the fingerprint scanner embedded in selected Lenovo products. "A vulnerability has been identified in Lenovo Fingerprint Manager Pro," said Lenovo in a security advisory published last week. "Sensitive data stored by Lenovo Fingerprint Manager Pro, including users' Windows logon credentials and fingerprint data, is encrypted using a weak algorithm, contains a hard-coded password, and is accessible to all users with local non-administrative access to the system it is installed in," the company said.

67 comments

  1. chinese communists by Anonymous Coward · · Score: 0

    what do you expect

    1. Re:chinese communists by DickBreath · · Score: 1

      I expect it to have security standards that meet or exceed those of Windows 98.

      And that's pretty darn high, since Windows 98 is way higher than Windows 10.

      --

      I'll see your senator, and I'll raise you two judges.
    2. Re:chinese communists by Anonymous Coward · · Score: 0

      How so? Because Win98 is no longer a target or because back in 1998 state actors weren't targeting consumer technology and Russian businesses had not yet figured out how to commercialize hacking?

    3. Re:chinese communists by DickBreath · · Score: 1

      Because 10 < 95 < 98.

      Therefor it follows that Win 10 < Win 95 < Win 98.

      --

      I'll see your senator, and I'll raise you two judges.
  2. I'm surprised most companies permit this by froggyjojodaddy · · Score: 4, Informative

    A few years ago, Mythbusters had an episode where they showed how easy it was to fool fingerprint scanners into granting access.

    The place where I work prohibits this via IT Policy and disables the fingerprint scanner on all laptops

    1. Re:I'm surprised most companies permit this by 110010001000 · · Score: 2

      The two largest commercially available closed source operating systems have major security flaws that ship with the OS. Why would you care about a fingerprint scanner?

    2. Re:I'm surprised most companies permit this by jellomizer · · Score: 1

      Bio-Metrics often require a targeted attack, meaning you need to know who you are copying. So someone will need to say I want this persons account, has to go threw steps to get their fingerprint, replicate it, go to the physical device and use it. Most companies even ones that value security see this as a good trade-off. Especially compared to passwords, where while in theory are safer, in practice people will hide their password underneath the keyboard (or worse on some file share), or make it too simple. So a random person such as a cleaner could find the password and use them to get in. Also once they have the password they can normally get in outside the office and remotely.

      Just because mythbusters did it, they have access to a lot of resources, and are able to cut out failures.

      --
      If something is so important that you feel the need to post it on the internet... It probably isn't that important.
    3. Re:I'm surprised most companies permit this by froggyjojodaddy · · Score: 1

      I think most organizations (hopefully I'm not generalizing too much here..) are somewhat protected against OS level flaw attacks through anti-virus software, firewalls etc and the effort & knowledge required to take advantage of those flaws.

      With fingerprint vulnerabilities, however, the problem is that almost anyone can fake a fingerprint with very little technical know-how. All you really need is a method of pulling the print and access to a good photocopier/scanner according to the Mythbusters test. Like most attacks, I'm guessing the majority of the risk comes from the inside rather than the outside.

    4. Re:I'm surprised most companies permit this by omnichad · · Score: 3, Funny

      On a laptop, there are plenty of places right on the laptop itself you could lift a print from.

    5. Re:I'm surprised most companies permit this by Anonymous Coward · · Score: 1

      And yet once in a while I can't even convince my Lenovo to grant me access with my real fingerprint* - thanks Lenovo!

        *I think that's a Windows 10 thing to be fair, seems to be if I try to fingerprint too soon after waking the machine up, it gets in a weird state and won't play.

    6. Re:I'm surprised most companies permit this by froggyjojodaddy · · Score: 1

      You make a good point. Although, watching the Mythbusters bypass it - it didn't seem to require a LOT of resources. With the exception of the ability to pull the print in the first place...

      What about detectability? If someone attacks a network from the outside, there's likely multiple systems that can flag it and alert the admin or security team. If someone copies my fingerprint and unlocks my PC, I have no idea. In fact, it would not register on any alarm / monitoring system.

      Of course, if someone has their password written down, then all bets are off - but that person must know, one some level, that writing down passwords is not a good idea.

    7. Re:I'm surprised most companies permit this by DickBreath · · Score: 1

      The most widely used microprocessor has compromise ("Intel management engine") baked right into the hardware. Why would you care about the insecurity of the OS?

      --

      I'll see your senator, and I'll raise you two judges.
    8. Re:I'm surprised most companies permit this by Anonymous Coward · · Score: 0

      Just because mythbusters did it, they have access to a lot of resources, and are able to cut out failures.

      We all have access to gummi bears.

    9. Re:I'm surprised most companies permit this by 110010001000 · · Score: 2

      What knowledge? There are one line exploits ready to made already out there. How would a firewall help?

    10. Re:I'm surprised most companies permit this by 110010001000 · · Score: 1

      Excellent point! But check out the guy worried about a fingerprint scanner!

    11. Re:I'm surprised most companies permit this by froggyjojodaddy · · Score: 1

      Hopefully I'm not coming across as a defender of fingerprint scanners or the problems with OS level flaws!

      My point is simply that the effort required for my average co-worker to access my password-protected laptop is much lower to fool the biometric scanner than it is to exploit a flaw in the OS or the intel management engine.

      Again, not talking about technically savvy people here - just the opportunistic person who watched Mythbusters and has sufficient motivation to unlock my PC with little to no detection risk.

    12. Re:I'm surprised most companies permit this by Anonymous Coward · · Score: 0

      Just because mythbusters did it, they have access to a lot of resources, and are able to cut out failures.

      We all have access to gummi bears.

      If you want to do it with style, you use a Jelly Baby instead.

    13. Re: I'm surprised most companies permit this by Anonymous Coward · · Score: 0

      How would a firewall help?
      Dude do you even computer?

    14. Re: I'm surprised most companies permit this by Anonymous Coward · · Score: 0

      Use Sour Patch Kids.
      Now nobody can use the fingerprint scanner!
      Also, IDK why, but your laptop is full of ants.

    15. Re:I'm surprised most companies permit this by Anonymous Coward · · Score: 0

      "Most companies even ones that value security see this as a good trade-off." and those companies would be stupid!

      Biometrics also cannot be revoked, passwords can! Good operational security is layer based and relying on biometrics often comes at the cost of those layers. Biometrics should never be used as a password, instead they should be used as an identity like a user name but entry to a system should require a password as well.

      Also there is nothing wrong with writing down passwords especially if you are smart about it. some examples would be a notebook in a locked safe, or maybe add a cypher to it as well for extra security. in essence security through layers. the other thing to consider is to make people responsible as well, in other words if a breech happens with your user-name and password then you are partially responsible for said breech.

      Its woefully amusing when people think security is a black and white thing. the only concrete thing one could ever say about security is that nothing is ever 100% secure and quite frankly never will be. the ongoing development of technology ensures that, because as we create new forms of algorithmic and procedural security, we are also finding the holes in the previous versions. Security is nothing more than a function involving the cost of implementation, the cost of cracking the security and the potential cost of data loss. Every system out there is breach-able it just depends on how much money/time the attacker has and how valuable the data is.

    16. Re:I'm surprised most companies permit this by Baron_Yam · · Score: 1

      >With the exception of the ability to pull the print in the first place...

      Did the previously authenticated person clean the scanner surface? No? Oh, I just got their print.

      That's why I like the 'swipe' version where you have to pull your finger across a narrow reader window instead of the imaging plate variant. At least then you have to work to get a good print off something else (which is actually pretty difficult when the person isn't deliberately trying to leave a print, contrary to what CSI would have you believe)

    17. Re:I'm surprised most companies permit this by rogoshen1 · · Score: 2

      it might be too soon to try your finger.. maybe put on some smooth jazz and give it a glass of wine?

    18. Re:I'm surprised most companies permit this by jellomizer · · Score: 1

      The scanner on most laptops requires a swipe action, That prevents a single fingerprint to stick on the scanner. You have a better chance getting it from a door knob. Because other methods you normally will get get the tips of your fingers, vs the meat of you fingers the scanner takes.

      --
      If something is so important that you feel the need to post it on the internet... It probably isn't that important.
    19. Re:I'm surprised most companies permit this by duke_cheetah2003 · · Score: 1

      The place where I work prohibits this via IT Policy and disables the fingerprint scanner on all laptops

      If you're not going to use the scanner, why the heck are you buying laptops with them? They're optional in most models of laptop I've come across, and most models that CAN feature the finger print reader often don't. Why buy something if you're just going to disable it?

    20. Re:I'm surprised most companies permit this by SeaFox · · Score: 1

      On a laptop, there are plenty of places right on the laptop itself you could lift a print from.

      That's why I use my big toe as my fingerprint authentication device.

    21. Re:I'm surprised most companies permit this by Aighearach · · Score: 1

      That may be the most widely used consumer CPU, but it is very very far from being the most widely used microprocessor. When you use the word "microprocessor," you're talking not only about CPUs but also every microcontroller and most ASICs. None of Intel's microprocessors are in the list of most used microprocessors. I doubt they even have an entry in the top 5!

      Strange oversight to make while trying be the hardware guy in the conversation...

    22. Re:I'm surprised most companies permit this by Aighearach · · Score: 1

      I have a recent thinkpad with the fingerprint scanner (I got it to play with and see if the linux software is any good, not to actually use; answer is no it is super-flaky).

      It only scans a single line of pixels at a time. Not only do you have to swipe your finger across it, you have to do so at a precise speed. And the bezel around it isn't large enough to hold a print, so you have differing surface finishes all around that area.

      The best place to lift a print would probably be on the bottom surface. It tends to be slightly elevated for airflow, and has lots of areas near the edge that are likely to be grabbed and hold prints.

    23. Re:I'm surprised most companies permit this by Aighearach · · Score: 1

      If you let employees choose their own laptop features within a budget, they'll be a lot happier with the results and they'll complain less about problems. They will also choose features that you have to disable because they violate various company policies.

      If you insert a step where somebody reviews their choices you lose a lot of the morale boost from letting them choose, because they didn't get to choose, they only got to ask.

      If you have a bunch of java monkeys, just choose for them. If you have skilled professionals with individual skills that you want to retain, then you let them choose and you don't worry about the cost of useless features that you have to disable.

    24. Re:I'm surprised most companies permit this by Anonymous Coward · · Score: 0

      Just because mythbusters did it, they have access to a lot of resources, and are able to cut out failures.

      The resources of Mythbusters are nothing compared to what is available for corporate espionage or national intelligence services.

      Biometric security is laughable. And don't bring home users into it---they are generally fine with a 4-6 character PIN.

    25. Re:I'm surprised most companies permit this by Plus1Entropy · · Score: 1

      writing down passwords is not a good idea

      Your fingerprint is a password you "write" pieces of on everything you touch. And once compromised, you can't change it.

      --
      Only crack the nuts that crack. You don't put the ones that don't crack in the sack.
    26. Re:I'm surprised most companies permit this by froggyjojodaddy · · Score: 1

      I'm not part of the purchasing team but I'll venture a guess that when buying a couple of thousand laptops at a time, you have certain specifications. Say a laptop meets all of those specs and you get a great deal on the price but it comes with a fingerprint scanner. You don't really care for the scanner but since you have the ability to disable it at the corp level, it doesn't matter.

      So it's not quite a matter of purchasing a laptop with a scanner you'll never use. Rather, you're purchasing a laptop that otherwise meets your requirements but has a feature that you don't need but since it's within your budget parameters, you'll purchase it anyway.

      You could argue that letting employees buy their own laptops is the solution but as someone who works for a 30k+ employee company, I can reassure you that's a finance / expense / support nightmare.

    27. Re:I'm surprised most companies permit this by DickBreath · · Score: 1

      The number of ARM processors in use very probably already exceeds the number of Intel processors in use.

      Quick experiment. How many PCs / Laptops do you have with "Intel Management Engine Inside!"?

      Now, how many of the following do you have: Android smartphone, tablet, RoKu, WiFi router, Smart TV, Digital camera, GPS navigator device, Printer that has a web based configuration UI, or anything else with a web based configuration UI, and other things like Nest thermostats and other various gadgets.

      --

      I'll see your senator, and I'll raise you two judges.
    28. Re:I'm surprised most companies permit this by XSportSeeker · · Score: 1

      You should dig a bit further into fingerprint reader technology before pulling all your conclusions from a Mythbusters episode... for good measure. Because they really aren't 100% safe today (nothing is), but not because of that Mythbusters episode.

      Let me tell you something about this, if you are interested: the often misused Mythbusters episode is not from "a few years ago"... it's almost 12 years old now, from an episode aired in 2006 (http://www.discovery.com/tv-shows/mythbusters/mythbusters-database/fingerprint-scanners-unbeatable/), and it was tested against an external laptop fingerprint reader and an electronic lock fingerprint reader that uses older deprecated tech (optical). The ones used today are using an entirely different mechanism (active capacitance, among others)... well, at least the ones coming out in newer devices - like smartphones, security systems and whatnot.

      Capacitance fingerprint reader, as well as newer technologies like multispectral and ultrasonic ones, are more secure than the old optical scanners. None of them are 100% secure, but most of them today wouldn't be broken by the technique used by Mythbusters back then. Some of them have been fooled by similar methods, but demanding a degree of precision that is impractical for most criminals to reproduce... like having an extremely high resolution scan of a fingerprint, making a 3d print using composite materials with multiple rounds of testing with very expensive 3d printers, stuff like that.

      Which is to say, it's still spoof-able, but it'd probably be better for the criminal to just force someone to put their finger there instead of trying to recreate it from scratch. It could be done, but it'd require a whole lot of time, social engineering, specialized machinery and materials, and work.

    29. Re:I'm surprised most companies permit this by Anonymous Coward · · Score: 0

      I can't plug OS security holes (I have to wait for others to do that, open or closed...not that it actually matters all that much given how many flaws have gone unnoticed for years in both) but I CAN do something to curb use of unreliable insecure gimmicky biometric scanners.

    30. Re:I'm surprised most companies permit this by Aighearach · · Score: 1

      Looking around the room and counting is not really a good system, in my case I've got at least 50 AVR processors within 10' and I doubt my computer monitor has more than 5 or 6 ARM cores.

      And even the AMD motherboards often have media ICs with at least 2, probably 3 processor blocks made by Intel. Their most popular processors are probably ones that don't even have a consumer part number because they put the part number on the implemented application.

      So while ARM is presumed way ahead, getting a count on either side would be hard. And clearly CPUs wouldn't be top ten. Even on their own motherboards they're outnumbered.

  3. Amazing! by Anonymous Coward · · Score: 0

    And it's password is the same I have on my luggage!

    1. Re:Amazing! by Aighearach · · Score: 1

      And it's password is the same I have on my luggage!

      The master key is the same as your luggage, too.

  4. D'oh! by VirginMary · · Score: 1

    https://www.youtube.com/watch?...

    --
    When 1person suffers from a delusion,it is called insanity.When many people suffer from a delusion,it is called religion
  5. This is why I install Linux on every new PC by aglider · · Score: 1

    Maybe not everything works as expected, but at least it isn't leaking my stuff out!

    --
    Sent as ripples into the electromagnetic field. No single photon has been harmed in the process.
    1. Re: This is why I install Linux on every new PC by Anonymous Coward · · Score: 0

      But that's part of the problem with a lot of the Linux world when it comes to wider adoption. That may work for you if you're Linux literate or an IT professional, but that doesn't work in enterprise or home desktop for grandmas. It's why FOSS can't compete with proprietary in the larger market.

      FOSS developers must learn to focus on what the user wants if they hope for wider adoption. That's why Mint has done well on desktop and Ubuntu/Fedora are doing well in enterprise. Everyone in FOSS development needs to learn from that example.

    2. Re: This is why I install Linux on every new PC by Anonymous Coward · · Score: 0

      What makes you think FOSS is interested in wider adoption ?

      Hint: They're not. Many say so unapologetically. And the rest lie, either to us or to themselves.

      You see, the fact remains that the vast majority of linux and other FOSS fans are geeks and nerds, or used to be when they were young. And there is something "l33t" about FOSS and linux, something that they master, and the rest of the world doesn't. And that makes them feel all warm and fuzzy inside. That maked them feel needed, that gives them power, power over those who persecuted them as teens.

      Just go to any linux and other FOSS support forum if you don't believe me, and see for yourself how you're being treated.

    3. Re: This is why I install Linux on every new PC by Aighearach · · Score: 2

      I've been using linux since the 90s, and I always tell people, don't use linux unless you know what you're doing, or don't know what an OS is.

      Please don't use linux. There is nothing warm and fuzzy about it. The simple fact is that if you're not either a computer professional/enthusiast, or a very casual computer user, then you have no reason to use it. It will only be harder to use, and won't run most of your software.

      If you're casual enough that you would never try to install software without help, you just want to use some basic office and internet functionality, then great, you can make good use of linux by having somebody set it up for you. As long as you don't want to change anything, it will Just Work for a long long time.

      But if you're not an expert, and you want to be able to run random software on your computer, perhaps that you purchased in a box at a store, then please don't bother. Just use a consumer OS. Filling linux forums with your stupid questions is just going to frustrate you because you shouldn't even be asking for help. You don't even have a reason to be using it.

      Never use software tools unless you have a use case for them. Read a book or something. Go for a walk.

    4. Re: This is why I install Linux on every new PC by Anonymous Coward · · Score: 0

      You haven't seen the multitude of stories about "the year of the Linux desktop," year after year?

    5. Re: This is why I install Linux on every new PC by ColaMan · · Score: 1

      Bollocks.

      Go and be an insufferable elitist boor elsewhere.

      --

      You are in a twisty maze of processor lines, all alike.
      There is a lot of hype here.
    6. Re: This is why I install Linux on every new PC by fisted · · Score: 1

      It's not elitist, it's pretty much spot on.

      --
      CLI paste? paste.pr0.tips!
    7. Re: This is why I install Linux on every new PC by Aighearach · · Score: 1

      You might want to get an umbrella, the forecast calls for rain and I'm quite sure you'll drown with your nose held that high.

      The thing you didn't comprehend about elitism is that people doing their own thing for their own reasons is actually good. Elitism is where they're keeping others out, not where they simply think it is good if people with low interest levels participate in the activity.

      Its good you decided to spend a few seconds of your life to think about elitism for the first time. I commend your efforts, and I really hope you get a bit further into the issues next time.

  6. Lenovo's security continues to improve. by Anonymous Coward · · Score: 1

    When asked for comment, one Lenovo executive responded: “This is an excellent example of Lenovo’s continued commitment to improved security. At least this time we didn’t deliberately ship a rootkit.”

    1. Re:Lenovo's security continues to improve. by sabbede · · Score: 1

      HAH! Nice one. I was just thinking about what a crap reputation Lenovo is building for itself. It's a shame really, IBM made a solid laptop before they decided to sell out to China.

  7. Only one thing could make this story better by 93+Escort+Wagon · · Score: 1

    Is the hard-coded password "hunter2"?

    --
    #DeleteChrome
    1. Re:Only one thing could make this story better by Anonymous Coward · · Score: 0

      Come on now, they are better than that. They wanted to one-up the hackers.
      1Drowssap.

    2. Re:Only one thing could make this story better by Anonymous Coward · · Score: 0

      ******* is not a good password.

  8. Biometrics alone are NOT secure by Anonymous Coward · · Score: 0

    A good old fashioned lengthy passphrase (Diceware) is still the best. Biometrics + passphrase would probably be the the best form of 2FA for some scenarios. Key fob or authenticator app + passphrase may be better for other scenarios.

    But perhaps the most important thing would simply be to get people to USE PASSWORD MANAGERS. What IT departments have done over the past 20 years is lunacy. People reuse the same password, or use weak ones, because it's easy and stupid password policies have pushed them into it. This industry needs a COMPLETE OVERHAUL such that the common practice is everyone uses a password manager, AES encrypted, and has to remember just one, strong master passphrase and randomly generates every other password.

  9. Hardcoded password? by Anonymous Coward · · Score: 0

    Was the hardcoded password: 'password' ??

  10. Backdoor eh? by fox171171 · · Score: 1

    is encrypted using a weak algorithm, contains a hard-coded password, and is accessible to all users with local non-administrative access to the system it is installed in,"

    So weak encryption and a backdoor. Just the kind of thing the FBI and others want.

    1. Re:Backdoor eh? by Anonymous Coward · · Score: 0

      So weak encryption and a backdoor. Just the kind of thing the FBI and others want.

      More like what China wants. The Chinese are the biggest thieves of intellectual property anywhere and the Chinese Communists have no qualms whatsoever about ripping off, cheating or stealing from Americans or indeed foreigners in general. Remember that for thousands of years they called us Barbarians and treated us as such. We ought to have these facts firmly in mind when dealing with the Chinese. Thieves and liars, the lot of them, and anybody who does business with them deserves whatever they get for ignoring what has happened to others in the past. The Chinese are not your friends. You've been warned.

  11. Should it be repeated? by Anonymous Coward · · Score: 0

    Fingerprints are logins not passwords.

  12. hyperbolic by ourlovecanlastforeve · · Score: 1

    Modded down for sensationalist title.

    This is only their older fingerprint scanners.

    Current models do not have this exploit.

    1. Re:hyperbolic by Anonymous Coward · · Score: 0

      Current model use the Windows 10 built-in Hello system, meaning it's out of their control.

  13. Fuck me, they issued an update? by Anonymous Coward · · Score: 0

    Seriously? Is this the same Lenovo that only ships the current version of Android on one of their tablets and refuses to provide even point release firmware updates for everything else? They must have really gotten an ass-reaming to provide an update for Windows 8.1 software.

  14. The Asus one can be bypassed by unplugging it by Anonymous Coward · · Score: 0

    If you have an Asus notebook with bios fingerprint ID set you can bypass it by simply disconnecting the sensor. Although the bios keeps the data so when you plug in the sensor back in you still need to enter a fingerprint to open the bios. This happens even if you reset the bios to factory settings.

  15. no big loss. by 140Mandak262Jamuna · · Score: 1

    Their finger print scanners are crappy anyway, easy to fool. So a hard coded passw0rd! is more difficult to crack than cheating the fingerprint scanner.

    --
    sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
    1. Re:no big loss. by Anonymous Coward · · Score: 0

      Citation needed.
      And, No, Mythbusters (which used an optical sensor) doesn't qualify.

    2. Re:no big loss. by Anonymous Coward · · Score: 0

      Hardcoded passwords may be hard to crack, but once you crack one (or get the backdoor password through working tech support, or seeing it posted online, etc) you've got access to every machine with that scanner. As opposed to having to fool each fingerprint reader every time.

  16. Biometric scan is not password by Anonymous Coward · · Score: 0

    It is only an ID. Therefore there is no problem in allowing bypass. Bypassing ID would be the same as refusing to sign a document.

    The problem is not with Lenovo. The problem is with the fucking stupid idiots who try to use biometric IDs as passwords to allow people access places. We don't sign ourselves to get through doors, we use keys for that. Likewise we must not use biometric signing to get through doors, we must use keys.

    It means nothing if hundreds of fictional films, games and books have visioned the use of biometric ID as keys. All their visions are stupid and wrong. IDs are not keys.

  17. top choice stupid by Anonymous Coward · · Score: 0

    how dumb do you have to be to be using this hilarious crapware on a joke of an OS?