A fingerprint sensor is supposed to give your PC much tighter security, but the magic of biometrics has fallen rather flat for some Lenovo ThinkPad laptops (and desktop PCs), with news of a flaw in the company’s software that can be exploited to bypass the scanner. That said, a patch has already been released to cure the problem.
The issue is with Lenovo’s Fingerprint Manager Pro software, which has poorly-implemented encryption that can be potentially bypassed, but there are caveats here – namely that this only affects Windows 7 and 8 systems, not machines running Windows 10. That’s because the latter OS doesn’t need the manager software, due to the functionality already being integrated with Windows Hello.
The other point to note is that any attacker wishing to leverage this bug needs to have local access to the laptop or PC; this isn’t something that can be pulled off remotely, thankfully.
As mentioned, Lenovo has already issued a patch for the Fingerprint Manager Pro app, which (obviously) you should download if you have one of the affected machines. There is a full list of the latter in Lenovo’s security advisory, but most of them are ThinkPad machines alongside a few ThinkStation and ThinkCentre models.
Of course, even though this exploit has a limited reach in terms of not affecting Microsoft’s latest desktop OS – and requiring the attacker to be local – it’s still rather embarrassing for a flaw to hit an actual core security feature, and moreover for Lenovo’s enterprise notebooks to be involved.
The company is selling ThinkPads to businesses (and indeed individuals) as machines that can be trusted to hold sensitive data, so even a slight wobble on this front isn’t great in the bigger security picture.