back to article Lenovo's craptastic fingerprint scanner has a hardcoded password

Lenovo wants ThinkPad owners to update their machines after its Fingerprint Manager Pro software was found to contain serious security vulnerabilities. Among the glaring flaws cited: a hardcoded password. In the fingerprint scanner. To log into the computer. "Sensitive data stored by Lenovo Fingerprint Manager Pro, including …

  1. s2bu

    The apocalypse...

    ... it must be starting because I’m about to utter words I never thought I’d say...

    For once, I’m glad I’m actually running Windows 10! (vs an older version of Windows, obviously and not something superior).

    1. Steve Davies 3 Silver badge

      Re: The apocalypse...

      For once, I’m glad I’m NOT running Windows OR using a Lenovo device.

      there fixed it for you.

      Once upon a time Thinkpads were the gold standard. That was a long long time ago.

      1. s2bu

        Re: The apocalypse...

        Eh. I dare say the hardware is still pretty good. At least better than others out there at the price point.

        1. Aitor 1 Silver badge

          Re: The apocalypse...

          Let me doubt it.

          If the regular SW is that bad, waht makes you think the firmware, that is more obscure by definition, is any better?

          My laptop is a Lenovo too, and I find this at the very least, annoying.

        2. rmason Silver badge

          Re: The apocalypse...

          It's still excellent. Rock solid. since switching from HP to lenovo for laptops we've yet to need to send back a warranty job (YMMV), DOA or early failures were getting more and more common with HP kit.

          We've got mainly thinkpad "e" series (i5 and i7) with a scattering of Yogas.

    2. Chloe Cresswell

      Re: The apocalypse...

      Where as I have a thinkpad running windows 10, and apparently I have to make a change to the registry to be allowed to even use the fingerprint scanner.

      I guess that makes it sort of secure..

      1. s2bu

        Re: The apocalypse...

        Interesting. On my P71, it “just worked”. At least until I broke it playing around the registry.

      2. rmason Silver badge

        Re: The apocalypse...

        We've had this too, all the options are greyed out despite not GPO or similar in place to do so.

        Lenovo thinkpad E serie and Yogas, mixed win 7/8 and 10.

        Oh well, doesn't seem like there is much point me fixing it.

    3. enormous c word

      Re: The apocalypse...

      Phew! Thats a relief - now if someone nicks my laptop, they wont need to cut my finger off to access.

  2. Paul
    Facepalm

    Lenovo get fingered again for bad security

    Lenovo get fingered again for bad security

    .. I'll get me coat!

  3. Robert Moore
    Linux

    Security is hard.

    Really glad I never setup the fingerprint scanner on my Lenovo laptop.

    For that matter, running Linux on it probably doesn't hurt much either. :)

    1. kain preacher Silver badge

      Re: Security is hard.

      Donl't worry the engineers at lenovo are working hard to find a way to the linux users to enjoy the same level of enjoyment as window users

    2. Mark 65 Silver badge

      Re: Security is hard.

      But how many times does it need to be reiterated that a fingerprint is the user id not the password?

      Why can the IT industry not understand this?

  4. sloshnmosh

    Lenovo again?

    Thank God I bought an HP!

    Oh, wait...

  5. Anonymous Coward
    Anonymous Coward

    Does anyone really..

    ...think these security blunders are "mistakes" nowadays?

    Keyloggers, hardcoded passwords, leftover Developer tools, web browser injections etc etc.

    And I have serious doubts about the "security" companies that we have to turn to for "protection" given these "antivirus" programs are fingering memory and injecting java into web browsers and sending scan results and God knows what else to some "cloud" somewhere.

    I see that many of these AV companies are offering "VPN" services now too...such as Kaspersky using "HotSpot Shield" of all things.

    End Times indeed!

    1. s2bu

      Re: Does anyone really..

      Actually, yes, I believe it. When you farm out development to the lowest cost development contractor and then set a hard short deadline, stuff like this happens.

      In the grand scheme of things, the CxO considers the short term of cost of dealing with the blunder less than the long term cost of decent devs. Seem reason why software is getting buggier, slower, more bloated, etc.

      Off topic: Saw a RHEL errata notice yesterday about version 3.2.32-22 or some such of “at” not properly handling certain situations when running commands. So it’s 2018 and yet a fairly basic app with a crazy high version for its functionality still can’t even do its core functionality correctly without bugs. Yet they expect us to trust self-driving/flying/etc vehicles and such. NO THANK YOU!

    2. Tom Paine Silver badge

      Re: Does anyone really..

      ...think these security blunders are "mistakes" nowadays?

      What's the simplest explanation consistent with the observed evidence

      1. Chairo

        Re: Does anyone really..

        Fat fingers?

        1. Sir Runcible Spoon Silver badge

          Re: Does anyone really..

          Now I'd be the first to suggest that correllation != causation, but it's an interesting observation that in 20 years of not using AV products, I have never really suffered from a nasty virus.

          YMMV of course :)

  6. Anonymous Coward
    Anonymous Coward

    From ThinkPad to DankPad

    ...at the touch of a finger!

  7. GBE

    Thinkpads are great!

    I've said it before.

    Thinkpads are great...

    ... but you've got to wipe the disk and install a decent OS on them.

    I recommend some flavor of Linux or BSD.

    1. Loud Speaker

      Re: Thinkpads are great!

      I have Several Thinkpads with Linux and/or OpenBSD on - are you sure they are safe?

      (I doubt this fix will be enough to make Windows secure).

    2. Paul Woodhouse

      Re: Thinkpads are great!

      I find old SL510's absolutely fly with Arch on em.... and you don't need to mess about finding out obscure details about the hardware either...

  8. Jaap Aap

    Is there someone actually _using_ a fingerprint scanner in a laptop?

    It seems like a hard way to set up some form of (two factor) authentication. It's not like it works out of the box in an enterprise environment. And at home, why bother?

    1. s2bu

      TPM

      When properly configured, the scanner + TPM is a fairly decent method of secure access and credential storage.

    2. david 142

      I use my fingerprint scanner on my win 7 x220 thinkpad. It adds a layer of security to keep the casual pest out. It doesn't do much more but my family wouldn't be able to get past it.

    3. Anonymous Coward
      Anonymous Coward

      @Jaap Aap - You're missing the

      coolness, or "Look at me, mom!" factor.

    4. James 29

      Yes on my work and personal devices

      Because swiping my finger on the sensor is much quicker than trying to remember a complex password, then having to type it in!

      1. Pascal Monett Silver badge
        Thumb Up

        I'm sure the guy who lifted your fingerprint from your keyboard totally agrees with you.

  9. James Anderson

    To be fair

    Lenovo inherited this rubbish from IBM. Who used to be a great hardware company, but, they always scared away any decent developers.

    1. td97402

      Re: To be fair

      “Lenovo inherited this rubbish from IBM.”

      It has been 11 years Since Lenovo bought IBM’s PC business. They’ve have more than enough time to write their own bug-ridden drivers. That was the days of XP for gawd sake. All the drivers from those days are in the bin.

  10. Hans 1 Silver badge
    Windows

    WTF ????

    Why would you use a fingerprint scanner ? The casing of your laptop and your keyboard is full of your fingerprints. Laptops make it EVEN WORSE BECAUSE OF THE PHYSICAL KEYBOARD!!!!!!!!

    I would take the finger print on the letter J, transfer it to wax and be in your computer in less than 5 minutes, 5 minutes ? Well I need to wait for wax to cool and harden...

    Do not use bio-metrics on portable devices.

    Do not use bio-metrics on portable devices.

    Do not use bio-metrics on portable devices.

    Do not use bio-metrics on portable devices.

    Do not use bio-metrics on portable devices.

    Do not use bio-metrics on portable devices.

    Do not use bio-metrics on portable devices.

    How long .... how long must we sing this song!

    1. Tom Paine Silver badge

      Re: WTF ????

      Do not use fingerprints, maybe.

    2. SAdams

      Re: WTF ????

      “Why would you use a fingerprint scanner ? The casing of your laptop and your keyboard is full of your fingerprints.”

      It depends whether you’re using them to logon to the OS. If you’re purely using them to get past the BIOS POST etc, then I don’t see a big problem with fingerprints as one of your factors of authentication. If you go by “something you have and something you know” then there is always the chance of the “something you have” part being stolen along with the actual device being secured.

      When you add “something you know” as a password which is not so complicated that people need to write it down, thats not bad for a standard user laptop surely ?

      1. Sir Runcible Spoon Silver badge

        Re: WTF ????

        " there is always the chance of the “something you have” part being stolen along with the actual device being secured."

        Which is why a 2fa token number should always be accompanied by a pin to gain access. That way even if someone puts their mitts on the seed file they still have to guess the pin.

  11. unwarranted triumphalism

    This is still Apple's fault.

    1. GBE

      Somebody should have T-shirts made

      This is still Apple's fault.

      Somebody should sell T-shirts that say that. There should probably be "Microsoft" and "Intel" versions also.

      1. Not also known as SC

        Re: Somebody should have T-shirts made

        Don't forget Google.

      2. Michael Wojcik Silver badge

        Re: Somebody should have T-shirts made

        One shirt with a set of hook-and-loop company names, so you can pick the scapegoat of the day.

        Though at that point I suppose you might as well just get a shirt with an e-Ink display. Someone must sell that, right? (Actually a quick search turned up a bunch of prototypes, and fretting about t-shirt advertising from the digiterati, but no actual products. But I didn't put much effort into it.)

  12. James 51 Silver badge

    Could make it fingerprint and password rather than instead of.

  13. Triumphantape

    I bought myself one to replace my 2009 Macbook pro, format, clean win10 iso onward.

    Also got it cheaper than the 1999$ Macbook pro selling on Apple right now, and with better specs than the Apple.

  14. bdg2

    I'm sure I heard a long time ago that the software that goes with these fingerprint scanners was appallingly insecure.

  15. Toni the terrible

    Phones

    And the Lenovo owned Moto G5s with fingerprint scanner?

  16. David Lawrence

    Too late....

    ....a recent W10 update stopped the fingerprint scanner from working on my Thinkpad. Can't be bothered to look into precisely why. Upshot is that thanks to good old M$ it's become a defunct thing so issues such as this no longer threaten me. Ha!

  17. TheBat

    So Lenovo settles with FCC with regards Cr*pware

    So for a fresh ISO install of Windows 10 Pro (yes Pro) the amount of "useful work-related apps" like XBOX, Mail etc.... does not qualify as "Cr*pware". Not to mention the horrible mail app that you can't uninstall without a Powershell hack. Perhaps Windows 10 Pro should be renamed "Windows 10 Home Advance" and release a version that does not, by default install all of these, but have Store and Edge so that those who do want to install those "apps" can......

  18. FlippingGerman

    How?

    Seriously, people this incompetent should be shot (well, perhaps not so seriously). Is there no one at Lenovo in management who says "ok guys, just to make sure, the fingerprint scanner stuff, you did it the right way, right?"

  19. Jin

    Adding fingerprint to PIN-protected device brings a vulnerability

    Don’t forget that biometrics with a fallback password comes with a security lower than a password authentication Two entrances placed in parallel provide nice convenience to criminals.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019