If you have an older ThinkPad, ThinkCentre or ThinkStation PC with an integrated fingerprint reader, you might want to download Lenovo's latest software update. The company has acknowledged that a flaw in its Fingerprint Management Pro software could allow a malicious actor with physical access to your device login with a hard-coded password, bypassing the fingerprint reader.
Lenovo says that the flaw affects Lenovo machines running Windows 7, Windows 8 and Windows 8.1. "Sensitive data stored by Lenovo Fingerprint Manager Pro, including users’ Windows logon credentials and fingerprint data, is encrypted using a weak algorithm, contains a hard-coded password, and is accessible to all users with local non-administrative access to the system it is installed in," Lenovo writes in a new support document.
It should be noted that Lenovo PCs running Windows 10 are not affected by this exploit, as they rely on that operating system's own built-in fingerprint authentication system. The following Lenovo systems are affected by the Fingerprint Manager Pro security exploit:
- ThinkPad L560
- ThinkPad P40 Yoga, P50s
- ThinkPad T440, T440p, T440s, T450, T450s, T460, T540p, T550, T560
- ThinkPad W540, W541, W550s
- ThinkPad X1 Carbon (Type 20A7, 20A8), X1 Carbon (Type 20BS, 20BT)
- ThinkPad X240, X240s, X250, X260
- ThinkPad Yoga 14 (20FY), Yoga 460
- ThinkCentre M73, M73z, M78, M79, M83, M93, M93p, M93z
- ThinkStation E32, P300, P500, P700, P900
Users of these devices are encouraged to download Fingerprint Manager Pro version 8.01.87 immediately.