Study Shows Lenovo, Other OEM Bloatware Still Poses Huge Security Risk

from the history-repeats-itself-history-repeats-itself dept

Lenovo hasn't had what you'd call a great track record over the last few years in terms of installing insecure crapware on the company's products. You'll recall that early last year, the company was busted for installing Superfish adware that opened all of its customers up to dangerous man-in-the-middle attacks, then tried to claim they didn't see what all the fuss was about. Not too long after that, the company was busted for using a BiOS trick to reinstall its bloatware on consumer laptops upon reboot -- even if the user had installed a fresh copy of the OS.

Now Lenovo and its bloatware are making headlines once again, with the news that the company's "Accelerator Application" software makes customers vulnerable to hackers. The application is supposed to make the company's other bloatware, software, and pre-loaded tools run more quickly, but Lenovo was forced to issue a security advisory urging customers to uninstall it because it -- you guessed it -- opened them up to man-in-the-middle attacks.

The vulnerability was discovered by Duo Labs as part of a larger report on the security of pre-installed OEM software (pdf). The study found consistent security problems specifically in the software used by OEMs to keep all the other bloatware updated. Such software pretty consistently failed to make even basic use of TLS, properly validate update integrity, or verify the authenticity of update manifest contents, leaving consumers at consistent risk of remote attack. It also found that some companies even had multiple software updaters that occasionally served duplicate purposes, most of which were trivial to exploit:
"Updaters are an obvious target for a network attacker, this is a no-brainer. There have been plenty of attacks published against updaters and package management tools in the past, so we can expect OEM’s to learn from this, right? Spoiler: we broke all of them (some worse than others). Every single vendor had at least one vulnerability that could allow for a man-in-the-middle (MITM) attacker to execute arbitrary code as SYSTEM. We’d like to pat ourselves on the back for all the great bugs we found, but the reality is, it’s far too easy."
And again, to be clear, Lenovo wasn't alone in being incompetent here. In fact, the firm tried to find any vendor whose bloatware didn't pose a security risk, and they couldn't actually do so:
Here's a novel idea: if OEMs can't actually learn from past mistakes and secure their bloatware, how about they do us all a favor and stop installing such crapware in the first place?
Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: adware, bloatware, computers, spyware
Companies: lenovo


Reader Comments

Subscribe: RSS

View by: Time | Thread


  1. icon
    That One Guy (profile), 3 Jun 2016 @ 3:50pm

    Let's be reasonable here

    Here's a novel idea: if OEMs can't actually learn from past mistakes and secure their bloatware, how about they do us all a favor and stop installing such crapware in the first place?

    There's good money in shoveling crapware onto unsuspecting customers, money that might decrease if they actually had to make their software secure, so expecting them to stop dumping it on people isn't likely to happen any time soon.

    Instead focus on making to so that people can more easily remove said crapware and secure their own systems, something that both decreases the risk to the owner of the device it was previously infecting and offers up the perfect opportunity to point and laugh when the crapware vendors start whining about how people are uninstalling their rubbish programs.

    link to this | view in thread ]

  2. identicon
    Whoever, 3 Jun 2016 @ 3:58pm

    The sad fact

    The sad fact is that users of PCs have learned to expect to be abused by their vendors and they just accept it.

    They expect their PC to be insecure. Until PC users make purchasing decisions that reflect the negative aspects of the insecurities, the vendors will continue to not care.

    Ultimately, customers need to put a value on security. I think that most do not value security because they believe that being vulnerable is inevitable.

    The problem is compounded by the lack of choice. The only mainstream choice is which vendor will abuse the customer with insecure crapware. There are no mainstream crapware-free choices.

    link to this | view in thread ]

  3. identicon
    Anonymous Coward, 3 Jun 2016 @ 4:05pm

    Re: Let's be reasonable here

    So... you've got OEMs selling systems with bloatware, and you've got Apple selling systems without bloatware, for approximately the same price on a featre-per-feature comparison.

    So if the other vendors are making money off of their bloatware in order to compete, what gives? They're not developing the hardware specifications themselves for the most part, and they don't develop their own OS or software for the most part.

    So why aren't they making more money off of the bloatware?

    link to this | view in thread ]

  4. identicon
    Michael J. Evans, 3 Jun 2016 @ 6:17pm

    Update Repositories

    Windows Update REALLY should have a /list/ of repositories to install packages matching a given form from.

    This way a vendor could setup a model specific repository and just point the user to that / have a single URL that they click that asks the user to confirm adding the repo to Windows Update.


    Of course they'd never do this, because the point isn't to keep users up to date, it's to deliver junk-ware and vendor lockin...

    link to this | view in thread ]

  5. identicon
    Anonymous Coward, 3 Jun 2016 @ 6:17pm

    I've gotten to where any new computer had to have Crap Cleaner run to remove the bloatware before real use. This is probably why Lenvo decided to try and sneak it in by Bios as I have to guess that many other purchasers of new computers were doing the same thing.

    Now we have the OS makers like Microsoft trying to get ahead of the game by turning the OS into an advertising platform complete with data mining.

    It's getting to where you can't find a secure OS much less a computer. At this point, even Linux isn't the answer as the NSA has been sure to have had it as an aiming point all along.

    link to this | view in thread ]

  6. identicon
    Lawrence D’Oliveiro, 3 Jun 2016 @ 9:59pm

    Microsoft = Scylla, Intel = Charybdis

    PC makers are getting squeezed into ever-shrinking margins, even as Microsoft and Intel make fat profits on every PC sold. So to boost their tiny profits, the vendors have to resort to “adding value” in any way they can.

    Customers put up with this, because it means cheaper PCs. You can get crapware-free PCs, but they cost more. If you want a laptop without Windows, for example, you can go to ZaReason or System76, but expect to pay a higher price for freedom. Most people don’t bother.

    Even Microsoft is feeling a bit of a pinch in its profit margins. So it is resorting to the crapware game, too, with Windows 10...

    link to this | view in thread ]

  7. identicon
    Lawrence D’Oliveiro, 3 Jun 2016 @ 10:33pm

    Re: So why aren't they making more money off of the bloatware?

    I suspect Apple isn’t making much off its Macs these days, either. Its cash cow is the Iphone.

    link to this | view in thread ]

  8. identicon
    Anonymous Coward, 4 Jun 2016 @ 2:24am

    Re:

    At this point, even Linux isn't the answer as the NSA has been sure to have had it as an aiming point all along.

    Linux had reasonable protection from the NSA, it is built from source by multiple people in multiple countries. These people control what servers their builds talk to.This makes it very high risk for spy agencies to try to plant software that calls home into Linux, especially as it would have to distribute the source code. Oh, and Snowden has made the task much harder, as more people will be casting a critical eye over the source code, and monitoring outgoing, connections, and some of them would very much like to give uncle Sam a black eye.

    link to this | view in thread ]

  9. identicon
    Lawrence D’Oliveiro, 4 Jun 2016 @ 3:12am

    Re: Windows Update REALLY should have a /list/ of repositories to install packages matching a given form from.

    I believe Ninite tried to do that.

    Until it got C&D letters from Adobe and other proprietary software vendors, claiming violation of their Int****ctual P**p**ty rights...

    link to this | view in thread ]

  10. identicon
    Anonymous Coward, 4 Jun 2016 @ 7:00am

    This isn't new. It's been well known by IT people that when you buy a new PC from an OEM you nuke and pave the OS. ALWAYS.

    link to this | view in thread ]

  11. identicon
    Anonymous Coward, 4 Jun 2016 @ 7:01am

    Re:

    and it's been this way for 25 years.

    link to this | view in thread ]

  12. identicon
    David, 4 Jun 2016 @ 12:04pm

    Re: Let's be reasonable here

    There's good money in shoveling crapware onto unsuspecting customers

    That's what I call "bad money". It's like a hairdresser clandestinely taking the earrings of customers and selling them. You are ruining your reputation and your principal business.

    link to this | view in thread ]

  13. identicon
    Anonymous Coward, 5 Jun 2016 @ 10:41am

    Lenovo (AKA the chinese government special technology unit) has today announced that it will no longer add software to spy on naked customers via their webcam, after software installed on their webcam revealed customers conversations about how much they distrusted their Webcam and microphone.

    link to this | view in thread ]

  14. identicon
    Anonymous Coward, 5 Jun 2016 @ 10:42am

    Re: Re: Let's be reasonable here

    Actually its more like giving someone an AWESOME haircut and at the end smearing the feces of every salon employee into the hair.

    "OK so it ruins the haircut, but you can always uninstall the feces you don't want once you get your haircut home"

    link to this | view in thread ]

  15. icon
    ender (profile), 6 Jun 2016 @ 1:12am

    Speaking of OEM bloatware, Asus' will [download executables](http://teletext.zaibatsutel.net/post/145370716258/deadupdate-or-how-i-learned-to-stop-w orrying-and) over unencrypted connection, won't do any verification on them and run them with admin privileges. Hello, MITM!

    link to this | view in thread ]

  16. icon
    JBDragon (profile), 6 Jun 2016 @ 8:14am

    Re: Re: So why aren't they making more money off of the bloatware?

    You are wrong! Apple makes the same kind of profit margin on Mac's as they do on the iPhone! Apple just sells far, far more iPhones. Mac sales have slowly grown as PC sales have gone down also.

    link to this | view in thread ]

  17. icon
    JBDragon (profile), 6 Jun 2016 @ 8:16am

    Re:

    Or do what I did, build your own system and Install Windows. Not some OEM Windows version that when you install, it installs all the bloat crap right back onto the computer!!!

    link to this | view in thread ]

  18. icon
    Eldakka (profile), 6 Jun 2016 @ 9:17pm

    Windows Update?

    Why didn't they include an analysis (or link to) of Windows Update as well?

    link to this | view in thread ]


Follow Techdirt
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Discord

The latest chatter on the Techdirt Insider Discord channel...

Loading...
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.