Lenovo at it again....

tpatt100tpatt100 Member Posts: 2,991 ■■■■■■■■■□
in Off-Topic
When relatives ask my opinion on cheap computer they find on Amazon or Best buy, I send them to the Microsoft store for their Signature line or Apple.

Lenovo used a hidden Windows feature to ensure its software could not be deleted
A recently uncovered feature – which had been swept under the rug – allowed new Lenovo laptops to use a Windows feature to automatically install the company’s software and tools even if the computer was wiped.

The oddity was first noted by Ars Technica forum user ‘ge814‘ and corroborated by Hacker News user ‘chuckup.’


The users discovered the issue in May when using a new Lenovo laptop that reportedly automatically and covertly overwrote a system file on every boot, which downloaded a Lenovo updater and installed software automatically, even if Windows was reinstalled from a DVD.

The only problem is that nobody actually asked for this software, and it supposedly persisted between clean installs of Windows. If true, Lenovo was essentially exploiting a rootkit on its own laptops to ensure its software persists if wiped. We’re working to verify how widely the mechanism was used.


How it works
The mechanism triggering this is called the Lenovo Service Engine, which downloads a program called OneKey Optimizer used for “enhancing PC performance by updating firmware, drivers and pre-installed apps as well as “scanning junk files and find factors that influence system performance.”

It also sends “system data to a Lenovo server to help us understand how customers use our products” but the company claims it’s not “personally identifiable information.” The problem is, users have no idea this is going on and it was very hard to get rid of.

If Windows 7 or 8 is installed, the BIOS of the laptop checks ‘C:\Windows\system32\autochk.exe’ to see if it’s a Microsoft file or a Lenovo-signed one, then overwrites the file with its own.


Then, when the modified autochk file is executed on boot, another two files LenovoUpdate.exe and LenovoCheck.exe are created, which set up a service and download files when connected to the internet.


In a July 31 security bulletin it refers to a vulnerability found in the Lenovo Service Engine that found a way attackers could exploit the mechanism by using a malicious server to install software.


The company issued a patch to remove the functionality altogether, though it requires manual execution to disable the functionality. Users do not appear to receive it automatically.

Allowed by Microsoft
The mechanism Lenovo was using is actually a Microsoft sanctioned technique, called the “Windows Platform Binary Table” first introduced in November 2011 and updated for the first time in July of this year.


The document had only two mentions online before today, one from an apparent Lenovo software engineer asking for help tinkering with laptop ACPI tables.

The feature allows computer manufacturers to push software for installation from the BIOS to the system, meaning it’ll persist between installations of Windows regardless of it’s a clean installation or not.

The document was modified upon discovery of the Lenovo exploit in early July to say that it exists to allow “critical software” like “anti-theft software” to persist across reinstallation of operating systems. Computer manufacturers like Lenovo seem to have a different idea of what that actually means (see also: the time Lenovo installed software that hijacked secure internet traffic).


Manufacturers are obligated to ensure that the mechanism can be updated if an attack is discovered and should be removable by the user, but the rules outlined in the document are fairly loose and don’t require the OEM to notify the owner of the laptop that such a mechanism is in place.

Both users reported being confused about how Lenovo software was installed on their computers after performing an installation from a DVD.

A wide range of Lenovo laptops may be affected by the issue: Flex 2 Pro-15/Edge 15 (Broadwell/Haswell models), Flex 3-1470/1570/1120, G40-80/G50-80/G50-80 Touch/V3000, S21e, S41-70/U40-70, S435/M40-35, Yoga 3 14, Yoga 3 11, Y40-80, Z41-70/Z51-70 and Z70-80 / G70-80.


A scary future
The revelation is one that makes me slightly nervous: a truly clean, untouched install of Windows is now very difficult to achieve and computer manufacturers may be quietly installing software with no way to tell.


Other manufacturers could have been using the technique without user knowledge, but it’s unclear at this time.


At least there’s good news: if you own one of these laptops you can disable the feature right now by downloading the utility at this link. The bad news: it probably wasn’t already done for you.

When we asked Lenovo for comment, they directed us back to the bulletin that describes the patch with no further information. Microsoft is yet to respond with a comment.

If you have an affected laptop, let us know in the comments. We’d love to talk to you.
· Share on FacebookShare on Twitter

Comments

  • tpatt100tpatt100 Member Posts: 2,991 ■■■■■■■■■□
    Lenovo's response

    Lenovo Statement on Lenovo Service Engine (LSE) BIOS
    In the April - May timeframe, Lenovo made available new BIOS firmware for some of its consumer PCs that eliminated a security vulnerability that was discovered and brought to its attention by an independent security researcher, Roel Schouwenberg. In coordination with Mr. Schouwenberg and in line with industry responsible disclosure best practice, on July 31, 2015, we issued Lenovo Product Security Advisories, that highlighted the new BIOS firmware – specifically for consumer Notebook and Desktop. Lenovo always strongly recommends that users update their systems with the latest BIOS firmware. Starting in June, the new BIOS firmware has been installed on all newly manufactured Lenovo consumer notebook and desktop systems.
    The vulnerability was linked to the way Lenovo utilized a Microsoft Windows mechanism in a feature found in its BIOS firmware called Lenovo Service Engine (LSE) that was installed in some Lenovo consumer PCs. Think-brand PCs are unaffected. Along with this security researcher, Lenovo and Microsoft have discovered possible ways this program could be exploited in the Lenovo Notebook implementation by an attacker, including a buffer overflow attack and an attempted connection to a Lenovo test server.

    As a result of these findings, Microsoft recently released updated security guidelines (see page 10 of this linked PDF) on how to best implement this Windows BIOS feature. Lenovo’s use of LSE was not consistent with these new guidelines. As a result, LSE is no longer being installed on Lenovo systems. It is strongly recommended that customers update their systems with the new BIOS firmware which disables and or removes this feature.

    LSE was shipped on some Lenovo-branded notebook systems running Windows 7, 8 and 8.1 and desktop systems running Windows 8 and 8.1 as listed below. The software does not come loaded on any Think-branded PCs.

    List of affected Lenovo Products:

    Lenovo Notebook
    Flex 2 Pro 15 (Broadwell)
    Flex 2 Pro 15 (Haswell)
    Flex 3 1120
    Flex 3 1470/1570
    G40-80/G50-80/G50-80 Touch
    S41-70/U41-70
    S435/M40-35
    V3000
    Y40-80
    Yoga 3 11
    Yoga 3 14
    Z41-70/Z51-70
    Z70-80/G70-80
    Lenovo Desktop
    World Wide
    A540/A740
    B4030
    B5030
    B5035
    B750
    H3000
    H3050
    H5000
    H5050
    H5055
    Horizon 2 27
    Horizon 2e(Yoga Home 500)
    Horizon 2S
    C260
    C2005
    C2030
    C4005
    C4030
    C5030
    X310(A78
    X315(B85)

    Lenovo Desktop
    China Only
    D3000
    D5050
    D5055
    F5000
    F5050
    F5055
    G5000
    G5050
    G5055
    YT A5700k
    YT A7700k
    YT M2620n
    YT M5310n
    YT M5790n
    YT M7100n
    YT S4005
    YT S4030
    YT S4040
    YT S5030
    · Share on FacebookShare on Twitter
  • cruwlcruwl Member Posts: 341 ■■□□□□□□□□
    Guy at work pointed this out yesterday, hadn't seen the response yet though from Lenovo.

    FYI I will never recommend/purchase a Lenovo product my self after reading about all of this.
    · Share on FacebookShare on Twitter
  • TheProfTheProf Users Awaiting Email Confirmation Posts: 331 ■■■■□□□□□□
    Just heard about this too.. Too bad, I bought my girlfriend a Lenovo laptop, great product and absolutely no issues.
    Blog: VirtualizeMyDC.ca
    Twitter: Andrey_Po
    · Share on FacebookShare on Twitter
  • varelgvarelg Banned Posts: 790
    Sadly, Lenovo isn't alone in practicing rootkits. Sony is allegedly at it, as well as Toshiba. A number of hard drive manufacturers were also cited as cooperating with NSA on planting an NSA rootkit on their products.
    · Share on FacebookShare on Twitter
  • gespensterngespenstern Member Posts: 1,243 ■■■■■■■■□□
    Well, it is more of a crapware problem than real security problem. Not likely that they are hunting for your SSN or something.
    · Share on FacebookShare on Twitter
  • YFZbluYFZblu Member Posts: 1,462 ■■■■■■■■□□
    gespenstern wrote: »
    Well, it is more of a crapware problem than real security problem.

    This is very clearly a real security problem:
    ...Lenovo and Microsoft have discovered possible ways this program could be exploited in the Lenovo Notebook implementation by an attacker, including a buffer overflow attack...

    Even if this vuln didn't exist in Lenovo's implementation, this is rootkit behavior. Whether or not you personally trust Lenovo is not the issue. This, plus the Superfish thing from earlier in the year, is pretty awful.
    · Share on FacebookShare on Twitter
  • SaSkillerSaSkiller Member Posts: 337 ■■■□□□□□□□
    And it is clear that Microsoft cannot be trusted to not permit this type of activity. They keep inching forward. I'm done with them.
    OSWP, GPEN, GWAPT, GCIH, CPT, CCENT, CompTIA Trio.
    · Share on FacebookShare on Twitter
  • veritas_libertasveritas_libertas Member Posts: 5,746 ■■■■■■■■■■
    I should not been have been surprised, but the level arrogance and disregard for the privacy and security of their customers made my eyebrows raise. Persistent BIOS-level ad-ware is more than a little alarming no matter who the creators are. I don't think I will ever feel comfortable purchasing or encouraging others to purchase Lenovo PCs.
    · Share on FacebookShare on Twitter
  • TechGuru80TechGuru80 Member Posts: 1,539 ■■■■■■□□□□
    varelg wrote: »
    Sadly, Lenovo isn't alone in practicing rootkits. Sony is allegedly at it, as well as Toshiba. A number of hard drive manufacturers were also cited as cooperating with NSA on planting an NSA rootkit on their products.
    There was an article on darkreading maybe 6 months ago about somebody finding out how to put malware in the firmware, which prevents deletion and concluded it required them to SOMEHOW get insider documentation.
    Security Certification Roadmap
    · Share on FacebookShare on Twitter
  • vinnypolstonvinnypolston Member Posts: 53 ■■□□□□□□□□
    That's just disheartening. The build quality of Lenovo has always impressed me. Got to be more intentional about checking things out. Thanks for the heads up!
    Want to learn IT? Watch my YouTube Channel here
    · Share on FacebookShare on Twitter
  • scaredoftestsscaredoftests Mod Posts: 2,780 Mod
    How can you tell that crap is on your computer? icon_confused.gif:icon_scratch.gificon_scratch.gif
    Never let your fear decide your fate....
    · Share on FacebookShare on Twitter
  • TechGuru80TechGuru80 Member Posts: 1,539 ■■■■■■□□□□
    scaredoftests wrote: »
    How can you tell that crap is on your computer? icon_confused.gif:icon_scratch.gificon_scratch.gif
    Using Wireshark or tcpdump would be a good start since a lot of the stuff is meant to talk to the mothership somehow.
    Security Certification Roadmap
    · Share on FacebookShare on Twitter
  • scaredoftestsscaredoftests Mod Posts: 2,780 Mod
    Good to know. I have a lenova laptop which I have loved, but it is coming to the end of it's life..I was leaning towards lenova.
    Never let your fear decide your fate....
    · Share on FacebookShare on Twitter
  • Fulcrum45Fulcrum45 Member Posts: 621 ■■■■■□□□□□
    We are a Lenovo shop -X1 Carbons and Yoga 2 Pros- and I don't recommend either. I would estimate that close to 15% of our laptops have had parts replaced within the last 18 months. As we speak I have two X1s sitting here waiting for motherboard replacements- parts are on backorder. Supply issues aside I will say that Lenovo (or IBM rather) does an excellent job of servicing the issues but all the same I'd rather not be on a first name basis with the repair technicians icon_rolleyes.gif
    · Share on FacebookShare on Twitter
  • MrJimbo19MrJimbo19 Member Posts: 49 ■■□□□□□□□□
    I am not necessarily against the idea of having this ability. Take for example someone stealing a system and wiping it before connecting to the internet with it. With something like this in place you could have the system phone home it's location regardless of what someone does to the underlying OS. Really sophisticated thief's will find ways around but your run of the mill person will not know how to stop it. I would be curious to know if software retrieval services like LoJack for Laptops use this system to ensure software is always installed,.

    With that said it should be 100% up front that this is occurring, has anyone had a chance to dig through Lenovo's 900000000 pages of EULA to see if they mention this reporting back to home regardless of what you the user want to have happen? We do a fair amount of Lenovo business and I frankly had no idea this was going on. Shame on me for not checking these things more carefully.

    Thank you OP for posting this up and keeping us informed!
    · Share on FacebookShare on Twitter
Sign In or Register to comment.