Subscribe to our newsletters
Sign Up

The Hacker News — Cyber Security, Hacking, Technology News

Monday, January 29, 2018 Wang Wei

lenovo-fingerprint-scanner
Lenovo has recently rolled out security patches for a severe vulnerability in its Fingerprint Manager Pro software that could allow leak sensitive data stored by the users.

Fingerprint Manager Pro is a utility for Microsoft Windows 7, 8 and 8.1 operating systems that allows users to log into their fingerprint-enabled Lenovo PCs using their fingers. The software could also be configured to store website credentials and authenticate site via fingerprint.

In addition to fingerprint data, the software also stores users sensitive information like their Windows login credentials—all of which are encrypted using a weak cryptography algorithm.

According to the company, Fingerprint Manager Pro version 8.01.86 and earlier contains a hard-coded password vulnerability, identified as CVE-2017-3762, that made the software accessible to all users with local non-administrative access.

"Sensitive data stored by Lenovo Fingerprint Manager Pro, including users’ Windows logon credentials and fingerprint data, is encrypted using a weak algorithm, contains a hard-coded password, and is accessible to all users with local non-administrative access to the system it is installed in," the company said in its advisory, giving brief about the vulnerability.
The vulnerability impacts Lenovo ThinkPad, ThinkCentre and ThinkStation laptops, and affects more than two dozen Lenovo ThinkPad models, five ThinkStation Models and eight ThinkCentre models that run Windows 7, 8 and the 8.1 operating systems.

Here's the full list of Lenovo devices compatible with Fingerprint Manager Pro and impacted by the vulnerability:

  • ThinkPad L560
  • ThinkPad P40 Yoga, P50s
  • ThinkPad T440, T440p, T440s, T450, T450s, T460, T540p, T550, T560
  • ThinkPad W540, W541, W550s
  • ThinkPad X1 Carbon (Type 20A7, 20A8), X1 Carbon (Type 20BS, 20BT)
  • ThinkPad X240, X240s, X250, X260
  • ThinkPad Yoga 14 (20FY), Yoga 460
  • ThinkCentre M73, M73z, M78, M79, M83, M93, M93p, M93z
  • ThinkStation E32, P300, P500, P700, P900

Lenovo has credited security researcher Jackson Thuraisamy with Security Compass for discovering and responsibly reporting the vulnerability.

The popular Chinese computer manufacturer strongly recommends its ThinkPad customers to update their devices to Fingerprint Manager Pro version 8.01.87 or later to address the issue. You can also head on to the company's official website to do so.

Since Microsoft added native fingerprint reader support with Windows 10 operating system, thus eliminating the need for the Fingerprint Manager Pro software, Lenovo laptops running Windows 10 are not impacted by the vulnerability.

Wednesday, September 21, 2016 Mohit Kumar

Microsoft-signature-edition-linux
In past few months, Microsoft opened the source code of a lot of its projects, convincing people that the company loves Linux.

But a new report shows that Microsoft is not really a big supporter of Linux.

Microsoft has banned Linux on some Windows 10 powered Signature Edition PCs, which provides the cleanest Windows experience on the market.

Signature Edition PCs are different from other systems because it is carefully and meticulously configured by Microsoft to run Windows 10 with no bloatware, paid promotional web shortcuts, or other pre-installed apps, for providing better performance.

But besides bloatware and other pre-installed apps, Microsoft won't allow you to install Linux (or any operating system) on it.

This news is not a rumor as a Reddit user BaronHK reported that he found it impossible to install Linux on the Signature Edition Lenovo Yoga 900 ISK2 UltraBook because Microsoft has locked the SSD in a proprietary RAID mode that can only be read by Windows.

When contacted Lenovo, the company confirmed that it had signed an agreement with Microsoft to make this happen.
"This system has a Signature Edition of Windows 10 Home installed. It is locked per our agreement with Microsoft," a Lenovo employee responded to a comment made by BaronHK about the issue.
Lenovo laptops that are not allowing its users to install Linux include the aforementioned Yoga 900 ISK2, the Yoga 900S, as well as the Yoga 710S.
linux-microsoft
Some have suggested that the issue that prevents Linux from being installed could be Microsoft decision, while others believe that the issue could be related to how the systems have been configured by Lenovo.

For now, all which is clear is that, if you own a Lenovo Signature Edition laptop, you can not install Linux on it.

Microsoft and Lenovo still have to officially comment on this possible restriction configured for Signature Edition PCs.

Tuesday, January 26, 2016 Swati Khandelwal

shareit-file-sharing
What do you expect a tech giant to protect your backdoor security with?

Holy Cow! It's "12345678" as a Hard-Coded Password.

Yes, Lenovo was using one of the most obvious, awful passwords of all time as a hard-coded password in its file sharing software SHAREit that could be exploited by anyone who can guess '12345678' password.

The Chinese largest PC maker made a number of headlines in past for compromising its customers security.

It had shipped laptops with the insecure SuperFish adware, it was caught using Rootkit to secretly install unremovable software, its website was hacked, and it was caught pre-installing Spyware on its laptops. Any of these incidences could have been easily prevented.

Now, Research center of Core Security CoreLabs issued an advisory on Monday that revealed several software vulnerabilities in Lenovo SHAREit app for Windows and Android that could result in:
  • Information leaks
  • Security protocol bypass
  • Man-in-the-middle (MITM) attacks

Critical Vulnerabilities in SHAREit


SHAREit is a free file sharing application that is designed to allow people to share files and folders from Android devices or Windows computers over a local LAN or through a Wi-Fi hotspot that's created.

All the vulnerabilities were remotely exploitable and affected the Android 3.0.18_ww and Windows 2.5.1.1 versions of SHAREit.

Here's the list of four vulnerabilities:
  • Use of Hard-coded Password [CVE-2016-1491]
  • Missing Authorization [CVE-2016-1492]
  • Missing Encryption of Sensitive Data [CVE-2016-1489]
  • Information Exposure [CVE-2016-1490]
The first vulnerability (CVE-2016-1491) would make you scream… How Dare You!

Using '12345678' as Hard Coded Password


Lenovo was using '12345678' as a hard-coded password in SHAREit for Windows that has been awarded the title of the Third Worst Password of 2015 by the password management firm SplashData.

Here's what Core Security researchers explain:
"When Lenovo SHAREit for Windows is configured to receive files, a Wi-Fi HotSpot is set with an easy password (12345678). Any system with a Wi-Fi Network card could connect to that Hotspot by using that password. The password is always the same."
This is ridiculous especially when the passwords in any application are hard-coded and unchangeable by an average user, putting its consumers and their data at risk.

Other Critical Flaws Left Millions of Users at Risk


However, the issue got worse when the second vulnerability (CVE-2016-1492) came into play. In the second flaw, that applied only to SHAREit for Android, an open WiFi hotspot is created without any password when the app is configured to receive files.

This could have allowed an attacker to connect to that insecure WiFi hotspot and capture the data transferred between Windows and Android devices.
This didn't end here. Both Windows and Android were open to the third flaw (CVE-2016-1489) that involved the transfer of files via HTTP without encryption.

This allowed hackers to sniff the network traffic and view the data transferred or perform Man-in-the-Middle (MitM) attacks in order to modify the content of the transferred files.

Finally, the last but not the least, fourth vulnerability (CVE-2016-1490) discovered by CoreLabs relates to the remote browsing of file systems within Lenovo ShareIt and builds upon the default 12345678 Windows password issue reported above.
"When the Wi-Fi network is on and connected with the default password (12345678), the files can be browsed but not downloaded by performing an HTTP Request to the WebServer launched by Lenovo SHAREit," says the advisory.

Patch Now!


The researchers at Core Security privately reported the flaws to Lenovo back in October last year, but the tech giant took three months to patch the flaws.

Patches for both Android as well as Windows phone are made available on the Google Play Store and here, respectively. So, SHAREit users are advised to update their apps as soon as possible.

Wednesday, February 25, 2015 Wang Wei

Lenovo Website has been Hacked
Lenovo.com, the official website of world's largest PC maker has been hacked.

At the time of writing, users visiting Lenovo.com website saw a teenager's slideshow and hacker also added song "Breaking Free" from High School Musical movie to the page background.

It appears that Lizard Squad hacking group is responsible for the cyber attack against Lenovo and it could be in retaliation to the Superfish malware incident.

It was revealed earlier this week that Lenovo had been pre-installing controversial 'Superfish' adware to its laptops which compromised the computer's encryption certificates to quietly include more ads on Google search.
In the Source code of the hacked webpage, description says,"The new and improved rebranded Lenovo website featuring Ryan King and Rory Andrew Godfrey
Rory Andrew Godfrey and Ryan King have been previously identified as members of Lizard Squad Hacking Group. It is not clear whether anyone of them is involved in the hack or it is quite possible that attacker is trying to expose the real identity of the hacking crew.

The Superfish Malware raised serious security concerns about the company’s move for breaking fundamental web security protocols, because anyone with the password that unlocks that single password-protected certificate authority would be able to completely bypass the computer's web encryption.

After that Facebook security team also discovered at least 12 more apps using the same "SSL hijacking" technology that gave the Superfish malware capability to evade rogue certificate.

Although Lenovo has admitted their mistake and distributing a Superfish removal tool for cleaning computer.

Monday, July 29, 2013 Wang Wei

According to a new report, the world’s biggest personal computer maker, Chinese firm Lenovo Group Limited has reportedly been banned from supplying equipment for networks of the intelligence and defense services of Australia, the United States, Britain, Canada and New Zealand, due to hacking concerns.
Sources from intelligence and defense entities in the UK and Australia have confirmed the ban introduced in the mid-2000s after intensive laboratory testing of its equipment. In 2006 it was disclosed that the US State Department had decided not to use 16,000 new Lenovo computers on classified networks because of security concerns.

Serious backdoor vulnerabilities in hardware and firmware were apparently discovered during the tests which could allow attackers to remotely access devices without the knowledge of the owner.

Lenovo, headquartered in Beijing, acquired IBM’s personal computer business in 2005, after which IBM continued to sell servers and mainframes that were accredited for secret and top-secret networks. GCHQ, MI5, MI6, the Australian Security Intelligence Organization, the Australian Secret Intelligence Service, and the NSA were all named as participating in the Lenovo ban.

Hardware backdoors are very hard to detect if they are well-designed, according to James Turner, an IT security analyst at IBRS, a technology research firm.

In the UK meanwhile, Huawei’s cyber-security practices are currently under review from the government, after an Intelligence and Security Committee report said the company could pose a significant threat to the UK's telecommunications industry if its self-policing security policy remained unchecked.

Newsletter Subscription

Subscribe to our newsletter and get all latest hacking news, free eBooks delivered to your inbox.

Join Over 450,000 Subscribers!