Lenovo Busted For Stealthily Installing Crapware Via BIOS On Fresh Windows Installs
from the not-learning-any-lessons dept
It looks like Lenovo may not have learned much from February's Superfish shenanigans. If you recall, Lenovo was busted for stealthily installing adware on consumer laptops. Worse, the Superfish adware in question opened up all Lenovo customers to man-in-the-middle attacks by faking the encryption certificate for every HTTPS-protected site customers visited. When pressed, Lenovo idiotically denied there was any security threat introduced by faking encryption certs solely for the sake of pushing ads.Lenovo's now under fire this week for reinstalling the company's bloatware on Lenovo laptops, even if customers have completed a fresh install of Windows. First noticed by an Ars Technica forum regular and confirmed by readers at Hacker News, as well as users over at Reddit, Lenovo appears to be hiding its crapware install in the laptop BIOS, so it gets installed even after fresh Windows installs:
"I had this happen to me a few weeks ago, on a new Lenovo laptop, doing a clean install with a new SSD, Win 8 DVD + wifi turned off. I couldn't understand how a Lenovo service was installed and running! Delete the file and it reappears on reboot. I've never seen anything like this before. Something to think about before buying Lenovo. I searched and found almost nothing about this, so it may be something they started doing in the last few months.Apparently, Lenovo's using a Windows function called Microsoft Windows Platform Binary Table (WPBT), originally designed to help simplify the installation of proprietary drivers and anti-theft software (obviously since any smart thief would do a clean install relatively quickly after theft). Except in this case, Lenovo's using it as a method to force the laptop to phone home to Lenovo servers so adware can be installed.
Basically, before booting Windows, the Lenovo Service Engine (LSE) built into the laptop's firmware replaces Microsoft's copy of autochk.exe with Lenovo's version. Lenovo's version then ensures that LenovoUpdate.exe and LenovoCheck.exe are present in Windows' system32 directory, with full administrative rights. Lo and behold, you then get Lenovo crapware -- and a machine that phones home to Lenovo servers -- even if you think you've avoided such practices via what you incorrectly assumed was a truly clean OS install.
You'll be shocked to learn that this practice isn't particularly secure. Back in April, Security researcher Roel Schouwenberg found and reported that a buffer-overflow vulnerability in the LSE (not to mention insecure network transmission) could easily be exploited by hackers. Once Lenovo learned of the security risk, and likely received a wrist slap from Redmond for running afoul of Microsoft's security standards regarding WBPT, Lenovo very quietly backed away from the practice last June, then released tools for laptops and desktops to aid in the removal of the LSE.
Clearly, since users are only just in August realizing this problem exists, Lenovo did a wonderful job communicating the issue to its customers. Lenovo now says that any computer sold since June should not include this stealth crapware install mechanism, but somehow it still thought it was a great idea to employ this technology from between October 2014 and April of this year. While Microsoft's WPBT may be well-intentioned, it's also hard to see how it couldn't foresee the potential pitfalls of letting third parties use the BIOS to inject additional software into a fresh install (regardless of whatever "guidelines" they've belatedly attached).
Meanwhile, on the heels of the Superfish scandal, it's becoming pretty clear that customers who want actual control of the hardware they own might just want to steer clear of Lenovo until the company wises up.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: adware, bios, crapware, fresh install, malware, reinstall, thinkpads, windows
Companies: lenovo
Reader Comments
The First Word
“customers who want actual control of the hardware they own
This is a great article because it gives a nice clear example of not only what corporate-level actors think of our privacy and security, but also just how opportunistically they will act when left to their own unregulated and profit-driven whims.It leads me to ponder: between now and the future of armed AI battlebots kicking down doors instead of cops, what kind of future can we predict for implantable computing?
Lenovo's actions are a nice foreshadowing.
So are smart tv's that share your every spoken word with third parties.
So are advanced persistent threats in the hard drive mcu firmware(s) and unpatchable firmware vulnerabilities that affect nearly every USB memory stick in existence.
So is the hidden second operating system in every phone, the baseband OS.
So are the terms in the Windows 10 license agreement that obligate the user to agree to so many kinds of spying, automatic updating, and remote top-down command-and-control from big brother Microsoft.
For that matter, so are the ubiquitous, corporate-owned, proprietary and for-profit nature of the cell phone and internet network architectures. Why aren't corporations racing to embrace the Internet Of Things and the future beyond by designing an open, community-owned, peer routed and decentralized network architecture where all we will need to do to join is put up an antenna? Something that is free to join, neighborhood-centric, and useful for civic and community organising?
Its clear that if the hardware manufacturers are left to their own devices (pun intended), implanatable computing with a proprietary for-profit software-as-a-service unmoddable hardware locked proprietary baseband operating system, and advanced persistent spyware and adware in every BIOS and firmware will be the norm, and not some glaring exception.
Subscribe: RSS
View by: Time | Thread
How?
Forget 'stop buying until they wise up', after these last two stunts, people should stop buying from them permanently, as it's blatantly obvious they're not to be trusted.
[ link to this | view in chronology ]
Re: How?
[ link to this | view in chronology ]
Re: Re: How?
[ link to this | view in chronology ]
Re: Re: Re: How?
It needs to be a real fear for any company pulling shit like this to face going right the fuck out of business!
[ link to this | view in chronology ]
Re: Re: Re: How?
[ link to this | view in chronology ]
Re: How?
[ link to this | view in chronology ]
Re: How?
[ link to this | view in chronology ]
Re: Re: How?
[ link to this | view in chronology ]
Re: Re: How?
[ link to this | view in chronology ]
Re: Re: Re: How?
[ link to this | view in chronology ]
Re: Re: How?
[ link to this | view in chronology ]
Re: How?
[ link to this | view in chronology ]
Re: Re: How?
[ link to this | view in chronology ]
Re: How?
[ link to this | view in chronology ]
Re: How?
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
The law of unintended consequences. It may well be perfect useful for its intended purpose. But, supply a tool and some people will work out how to misuse it.
The only mystery is how it's is a surprise to anybody that it was misused - or why Lenovo apparently believed that nobody would notice.
[ link to this | view in chronology ]
Re: Re:
Lenovo has certainly earned a spot on my "do not buy" list.
[ link to this | view in chronology ]
Re:
but sure, anyone else *could* do this.
IF you could cast your aspersions elsewhere while we discuss the greedy, arrogant Chinese company who's done this (again) *TWICE* in the space of 18 months. Eyeaaah, that'd be greeeeeat.
[ link to this | view in chronology ]
Re: Re:
Yeah, please quit reminding people of all the times the government has been caught hacking into people's computers. Let's keep it focused on Lenovo. Eyeaaah, that'd be greeeeeat.
[ link to this | view in chronology ]
Re: Re: Re:
It's just Lenova this blog is about. There are others and they all should be nuked!
I foolishly bought a nice little "USELESS' laptop. It has Chrome OS on it and it is UEFI locked. It is basically usless unless connected to the Internet. I dusted it off a couple months ago but I didn't turn it on. I have tried to talk to Google about unlocking UEFI so I can replace that useless Chrome OS piece of shit. NO luck. Any one know how to talk them into how to unlock it? NO! I thought not.
[ link to this | view in chronology ]
a question
Do the crapware call-home programs still work?
Not that I am now inclined to buy Lenovo for any reason.
[ link to this | view in chronology ]
Re: a question
[ link to this | view in chronology ]
Re: Re: a question
[ link to this | view in chronology ]
Re: a question
[ link to this | view in chronology ]
Re: Re: a question
WPBT tables, and other windows specific software constructs no longer apply when Linux is booted. To pull the same trick under Linux requires Linux specific software, and would have to deal with the variability of Linux, like different boot loaders. Windows provides a much more consistent execution environment than Linux, which relies more on source code portability.
[ link to this | view in chronology ]
Re: Re: Re: a question
[ link to this | view in chronology ]
Re: a question
You get reported for "piracy", naturally.
[ link to this | view in chronology ]
Re: Re: a question
[ link to this | view in chronology ]
Re: a question
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Duh! Lenovo is made in China!
Thanks, Microsoft, for making pwning so easy.
[ link to this | view in chronology ]
Re: Duh! Lenovo is made in China!
https://www.theverge.com/2015/7/29/9067665/motorola-google-lenovo-pure-android
[ link to this | view in chronology ]
Send this article
[ link to this | view in chronology ]
Don't give them ideas
'Delete everything and start with a fresh install in an attempt to try and ensure that the only programs on your machine are ones you chose yourself? Hah, no, soon as it boots it calls home and installs the backdoor code again.'
[ link to this | view in chronology ]
WPBT considered harmful to security
As usual, the modern world has traded away safety for a little more convenience
[ link to this | view in chronology ]
It's not just Lenovo
[ link to this | view in chronology ]
Re: It's not just Lenovo
I suspect the Russian FSB, Israeli Mossad, and the NSA have all taken minority ownership positions in MS.
[ link to this | view in chronology ]
It's the corporation's secret motto.
[ link to this | view in chronology ]
All laptops?
Is there a way to pull this trick on a Linux machine?
[ link to this | view in chronology ]
Re: All laptops?
[ link to this | view in chronology ]
Re: All laptops?
[ link to this | view in chronology ]
Re: All laptops?
[ link to this | view in chronology ]
Thinkpad killed
I was afraid it was going to happen.
I have a T500 (T61p before that), back when Lenovo just bought them from IBM.
The thing is a workhorse, and still works great to this day (the T61p sadly succumbed to the bad nVidia chip of that era, T500 replaced it).
The keyboard change was the first nail. This is the final.
So ended an era.
It will most likely be my last Thinkpad. Sadly there isn't much else of quality anymore either.
[ link to this | view in chronology ]
Stallman was right
https://www.fsf.org/campaigns/free-bios.html
[ link to this | view in chronology ]
Re: Stallman was right
It may be worth noting, by the way, that it's not so difficult to grab an old system (one you don't mind bricking) and port Coreboot to it.
[ link to this | view in chronology ]
customers who want actual control of the hardware they own
It leads me to ponder: between now and the future of armed AI battlebots kicking down doors instead of cops, what kind of future can we predict for implantable computing?
Lenovo's actions are a nice foreshadowing.
So are smart tv's that share your every spoken word with third parties.
So are advanced persistent threats in the hard drive mcu firmware(s) and unpatchable firmware vulnerabilities that affect nearly every USB memory stick in existence.
So is the hidden second operating system in every phone, the baseband OS.
So are the terms in the Windows 10 license agreement that obligate the user to agree to so many kinds of spying, automatic updating, and remote top-down command-and-control from big brother Microsoft.
For that matter, so are the ubiquitous, corporate-owned, proprietary and for-profit nature of the cell phone and internet network architectures. Why aren't corporations racing to embrace the Internet Of Things and the future beyond by designing an open, community-owned, peer routed and decentralized network architecture where all we will need to do to join is put up an antenna? Something that is free to join, neighborhood-centric, and useful for civic and community organising?
Its clear that if the hardware manufacturers are left to their own devices (pun intended), implanatable computing with a proprietary for-profit software-as-a-service unmoddable hardware locked proprietary baseband operating system, and advanced persistent spyware and adware in every BIOS and firmware will be the norm, and not some glaring exception.
[ link to this | view in chronology ]
And considering how small memory chips are in things like flash drives, perhaps in the future, the OS would be preinstalled directly on the motherboard and cannot be overwritten. That'd spell the end of Linux (competition to M$ and a possible hindrance to Big Brother) in several years, after the gurus' old hardware becomes too old or breaks.
Just something I've been thinking about lately.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
China
[ link to this | view in chronology ]
lenovo caught useing the NSA's toys.
You've missed the story here Karl. There's an iceburg below the tip you just pointed out, one that TDs articals seam to obliviously run into again and again... All modern hardware is backdoored like this. Intel ME, Secureboot, TPM, UEFI...etc...
Also- this type of attack absolutely works against linux, the injected software just has to be tailored to the target software environment; harder then windows, sure, but far from impossible.
Ironically- gluglug's (old/reflashed) lenovo thinkpads are some of the only machines you can buy today that are imune to these types of subverstion/attack. So boycott new lenovo's, by all means, but if you want to support a solution to this catastrophic mess- buy a gluglug and support the libreboot team.
[ link to this | view in chronology ]
Re: lenovo caught useing the NSA's toys.
You've mixed together a bunch of technically very different attack vectors, so I'm not sure which one(s) you're talking about with this assertion.
Assuming you're talking about the one the article is discussing, then no, this attack does not work against Linux. It requires the active support and cooperation of the operating system, and Linux does not provide the necessary support.
[ link to this | view in chronology ]
Re: Re: lenovo caught useing the NSA's toys.
[ link to this | view in chronology ]
Re: Re: Re: lenovo caught useing the NSA's toys.
Simply having the code in the BIOS (even if that code can execute under any OS) doesn't do anything at all. Something on the OS side of things must load and execute that code. Linux does not look for, load, or execute any such code and so is immune from this attack vector.
[ link to this | view in chronology ]
Re: lenovo caught useing the NSA's toys.
[ link to this | view in chronology ]
So... how many folks here are not firm believers of following "the Bleeding Edge"?
[ link to this | view in chronology ]
Re: So... how many folks here are not firm believers of following "the Bleeding Edge"?
[ link to this | view in chronology ]
Re: Re: So... how many folks here are not firm believers of following "the Bleeding Edge"?
My most modern device is the old very first Panasonic Toughbook. It has a phone home security system in the BIOS. I have turned it off but all I can find about it says it works for them anyway. So I have every thing here goes through three routers with iptables on them as well as a Masqurade on each one. I am now the paranoid kid. I am not prejudiced at all. I trust no one.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Already flushed the toilet
Good Bye...so long. We only have about 350 users but that's 350 less Lenovo's. Someone needs to pull their head out of their asses otherwise they will lose all of their business customers.
[ link to this | view in chronology ]
Bad Press
[ link to this | view in chronology ]
Re: Bad Press
[ link to this | view in chronology ]
Re: Bad Press
Sony is a great exemplar. Rootkits in audio material that take over a computer if you list to a legally purchased CD on your PC. Taking out capabilities that were touted as a reason for purchase (removal of Linux from a game console.)
Companies that produce absolute garbage (MPAA and the RIAA) abuse the user and the law. And users are so hungry for crap they don't need, that they put up with it. Perhaps they all need to go to submissive school, and learn that it is the bottom who really holds the power.
[ link to this | view in chronology ]
Why should they?
Were the company's managers prosecuted? If not, then what they learned is that laws don't apply to them, so why should they care?
[ link to this | view in chronology ]
Re: Why should they?
Could have just been "shock testing" too.
To see how the public would react.
---
[ link to this | view in chronology ]
Read more: http://www.referenceforbusiness.com/history2/52/Lenovo-Group-Ltd.html#ixzz3sK1cQ66i
[ link to this | view in chronology ]