Slashdot Mirror
Lenovo Installed Software On Laptops That Persisted After Complete Wipes
An anonymous reader writes: The Next Web has confirmed reports from owners of Lenovo laptops that the company used a BIOS feature to install its software on the laptops even if a user wiped a device clean and reinstalled the operating system. "If Windows 7 or 8 is installed, the BIOS of the laptop checks 'C:\Windows\system32\autochk.exe' to see if it's a Microsoft file or a Lenovo-signed one, then overwrites the file with its own. Then, when the modified autochk file is executed on boot, another two files LenovoUpdate.exe and LenovoCheck.exe are created, which set up a service and download files when connected to the internet." Lenovo has published a patch to remove this functionality. The article notes that this technique seems to be sanctioned by a Microsoft policy. "Manufacturers are obligated to ensure that the mechanism can be updated if an attack is discovered and should be removable by the user, but the rules outlined in the document are fairly loose and don't require the OEM to notify the owner of the laptop that such a mechanism is in place."
The troll that just keeps on giving.
When Windows auto-updates go horribly wrong, almost all users blame the h/w vendor, not Microsoft. So Lenovo uses this BIOS trick to protect their reputation. Why is this being depicted as malicious behaviour?
If you keep throwing chairs, one day you'll break windows....
What is the world coming to?" It seems, no matter how obviously bad an idea is, somebody has to try it.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
At least Lenovo gives you a GUI with Windows 8. On EVIL COMMAND LINE LINUX you're stuck with bad evil hard-to-use command lines.
You should be thankful that Lenovo gives you this extra software as a bonus instead of forcing you to use an EVIL command line!
Nevermind that in creating such a thing they've created a gigantic security hole in the hardware itself that an attacker could potentially use to make sure your computer is a permanent part of someones botnet!
Are YOU using the TOOL, or is the TOOL using YOU? Think about it!
Never buying from that company again and will, in my capacity as family tech support guy, ensure that nobody in my family buys one. Wow. That company cannot die quick enough.
Lenovo shure has a short attention span ; SuperFISH, now this.
IT's fucking sad that wiping your PC no longer wipes it. Self-Reinstalling crapware, thank you MS & Lenovo!
This is actually a mechanism called Windows Platform Binary Table (WPBT).
More information can be found in the Microsoft WPBT whitepaper:
"This paper describes the format of a Windows Platform Binary Table (WPBT). The WPBT is a fixed Advanced Configuration and Power Interface (ACPI) table that enables boot firmware to provide Windows with a platform binary that the operating system can execute. The binary handoff medium is physical memory, allowing the boot firmware to provide the platform binary without modifying the Windows image on disk. In the initial version, the WPBT simply contains a physical address pointer to a flat, Portable Executable (PE) image that has been copied to physical memory. The WPBT is extensible, allowing the layout of published platform binaries to be more complex in future versions and allowing the support of more than one binary type.
It is expected that the binary pointed to by the WPBT is part of the boot firmware ROM image. The binary can be shadowed to physical memory as part of the initial bootstrap of the boot firmware, or it can be loaded into physical memory by extensible boot firmware code prior to executing any operating system code. A boot firmware component would create the WPBT based on the location of the platform binary. During operating system initialization, Windows will read the WPBT to obtain the physical memory location of the platform binary. In the first version, the binary is required to be a native, user-mode application that is executed by the Windows Session Manager during operating system initialization. Windows will write the flat image to disk, and the Session Manager will launch the process. Windows may reclaim the physical memory described in the WPBT.
If Windows observes a WPBT during operating system initialization, it will attempt to use an ACPI control method to communicate binary execution status back to the platform."
Sorry, but this is what happens when you let a country under the sway of a totalitarian government build you computers.
However, as almost every other government more or less demands the same thing ... this as the new normal.
You can (and should) be outraged. But the fact that governments want back doors for everything is pretty clear.
I see this as precisely no different from the US tapping the telecom systems of other countries. People claim it's their right, and then get all freaked out when someone else does it.
Sorry, but fascism and the surveillance state is a creeping cancer on the whole world.
Lost at C:>. Found at C.
When I briefly worked inventory in 2008, Google management was thinking of abandoning Lenovo laptops as they kept finding backdoors for Chinese hackers in the BIOS. Not sure if they ever did. On the few contract assignments I've done for Google since then, everyone I worked with had a MacBook Pro laptop.
... as long as it's constrained to only device drivers. That way we're not stuck, especially considering people are ditching optical drives.
Buck Feta. You know what to do.
When does the bios install the files, at boot time, or when the OS is running?
If at boot, this should require bios drivers for read+write ntfs filesystem support in order to know where in the primary drive the bios needs to install the files, which means the bios can hold a much larger amount of storage then expected.
If when the OS is running, this opens up the potential for many new scarier exploits and backdoors, even for a more secure OS with different file systems, such as Linux or *BSD, beyond just storage, such as memory and network access.
Does this still work with FDE (Full Disk Encryption), such as bitlocker, truecrypt, bestcrypt, pgpdisk, etc.?
Wait, so you are telling me that people buy Lenovo computers and don't simply install their favourite version of Linux/Unix but actually run Windows on those?????? Seriously??? I am on Lenovo W510, had it for a few years, it has an older version of Ubuntu and I am going to replace it soon with a Mint distro, why would I want Windows on it?
You can't handle the truth.
As stated above, this is how Windows operates by design.
End Of Thread.
Shut up and educate yourselves.
It isn't just Lenovo. On most major brands of PC laptops, there is a BIOS setting that once set, can't be unset, which either enables LoJack for Laptops permanently, or permanently disables it. If it is set, it will always load the LoJack executables when Windows is installed, even if the hard disk is blank and the install media is clean.
Of course, this is a mechanism that can be both used for good or ill... I wouldn't be surprised to see BIOS attacks that allow an attacker to flash a Trojan dropper which will always be present even on a reinstall with the only fix being either a firmware upgrade (if the attacker didn't already block that), or replacement hardware. The only real way to prevent it is to virtualize everything, with the bare metal OS as thin as possible [1].
[1]: Would be nice to see something like VMWare ESXi, except with the ability to use the console graphically, one step up from a dumb terminal.
RTFA, numbnuts.
"If Windows 7 or 8 is installed, the BIOS of the laptop checks 'C:\Windows\system32\autochk.exe' to see if it's a Microsoft file or a Lenovo-signed one, then overwrites the file with its own.
Since this doesn't require my agreement, then does that mean I'm unrestricted as to what I can do with it? Namely, reverse compiling, distributing, etc?
~Loyal
I aim to misbehave.
After Superfish, now this... Not sure which is better... a spyware... or a multitude of malwares that install themselves even if you change the drive.
The root problem is the people who design a feature to allow code to persist through a wipe and don't see that as a huge security hole!
Security is simple is you care about it, things like a BIOS update shouldn't be possible without a physical action by the user. For example a jumper on the motherboard has to be installed during the boot (which can easily be extended to a button on the case) which would look for a specific file in a specific location and update the bios after confirming on screen with the user. The jumper would then have to be removed prior to the system booting normally.
Any feature that a good application can use to update your system, a bad application can use as well. To use a car analogy, a security "feature" that lets you unlock your car if you've lost your keys (which sounds useful on its face) - also allows a bad guy to unlock your car.
"Grab them by the pussy" -- President of the United States of America
Lenovo Installed Software Making Laptops Vulnerable to Hacking: Experts videoturkiye.Net http://www.videoturkiye.net/le...
Thats gross Lenovo, shame on you.
After purchase, the laptop belongs to its new owner, not to Lenovo.
If you think that Lenovo has the right to "protect their reputation" on equipment which it does not own, your powers of reasoning leave something to be desired.
That isn't YOUR laptop, it belongs to Microsoft. You merely pay for the ability to keep hold of their machine while you take on all risk of looking after it.
They could be loading Adobe Flash
Sig Follows: "Suppose you were an idiot. And suppose you were a member of Congress. But I repeat myself." -- Mark Twain
Since this turns out to be using a Microsoft-provided facility in UEFI (from what I've read) -- how can we disable/turn off this feature? I don't own a Lenovo device, but I want to be sure it can't be used on *any* of my motherboards or laptops. What a stupid f*cking idea. UEFI is turning out to be just bad in new and wonderful ways, security-wise.
I had a motherboard bios (Phoenix?) around 2000 that patiently waited for you to install windows, modem, etc. I didn't need any of the MB drivers for Win98se, so I had not even loaded the CD for drivers. I installed my traditional firewall and antivirus from CD, then established a dial-up connection. When a TCP/IP connection was detected, the BIOS immediately downloaded some manuals and MB utilities onto the desktop... completely sidestepping the firewall in the process. Very slick and scary even then.
solution - delete system32 !
Thanks guys, my machine is a lot faster!
Pretty sure the Bible doesn't say racism is a sin.
Hell, it's a main purveyor.
the preceding comment is my own and in no way reflects the opinion of the Joint Chiefs of Staff
Ubuntu Server, Kubuntu, and Xubuntu don't have the "shopping lens" that Ubuntu Unity has.
Back in 2011, I had a virus which persisted on my Blackberry after a full factory reset and clear. Nasty little bugger, also infected my Kindle, my wireless smart monitor and xbox, and a SecureRom bios secured machine. Sliced through it all like butter, and reinstalled itself even after full wipes.
I now carry only a laptop. No cell phones. No nothing. That kind of trouble's just too much for me.
This is really no different than Absolute Computrace. Wiping the hard drive, or installing a new hard drive doesn't stop the software. The executable is stored in the hardware and reinstalls itself in the operating system automatically if someone removes it. This is the same tactic Lenovo is using for its own purposes.
Both of which are rootkits/bootkits
Microsoft INSISTED the BIOS of new PCs be changed to a more modern system, and paid shills to tell people here that the reason for the change was "SECURITY". However, the old school BIOS system on a PC motherboard is so primitive and straightforward, there is NO WAY to make it pull these stunts. It simply lacks the capability of independent high level OS functionality, so no NSA method could ever use this vector for a clean install TROJAN attack.
But all new devices built for Windows have to include unstoppable TROJAN back-door BIOS functionality. The 'innocent' fake explanation is that "dumb users have to be protected from themselves" so Microsoft MUST have access to an unstoppable 'update' facility on every connected PC.
Windows 10 has ALWAYS ON updates. If the user attempts to switch them off, they reactivate after a few days. The updates are given, by EULA 'rights' the ability to change ANY current user setting on the system, be that setting related to a Microsoft program that came with Windows 10, or a third-party program installed afterwards. The extent of this power was seen when Win8.1 to W10 updates DEACTIVATED child protection settings (because they interfered with key NSA back-door functionality). If/When these settings are re-activated, they now operate in a NSA friendly mode.
Dice tells you, in-between stories lionising Saudi Arabia and Israel and demonising Iran, that all the software changes FORCED on you are in the name of 'better security' and most of you dumb dumb betas swallow this lie hook, line and sinker.
Only a few days back, the story broke of the old NSA hack that ensured EVERY Intel and AMD CPU was insecure regardless of OS used. And why? Because the NSA has long since moved on to VASTLY more sophisticated back-doors in your AMD and Intel CPUs. Both companies build NSA accessible memory blocks in the chips themselves, programmed by the cryptological gateway mechanism also used to update the microcode via the BIOS. Yes,. the NSA runs code from within the CPU chip these days, and this NSA back-door is theoretically IMPOSSIBLE to block. The NSA intercepts apparently INNOCENT IP traffic to apparently INNOCENT IP addresses emanating from your PC when connected. The trojan in your PC CPU inserts its data into these packets. This form of attack is ONLY used by the NSA against the most highly sought after targets.
To be completely secure a PC must be disconnected from any network, if any machine on that network ever connects to an open network at any time in the present or future. But if the PC has ANY wireless functionality, active or 'deactivated', it will be making a constant attempt on behalf of the NSA to connect to available wireless networks and signal that way. Microsoft builds all this functionality into Windows, and the companies building the PC chips build the functionality into the hardware. Remember the average PC motherboard contains DOZENS of independent CPU systems (mostly ARM, MIPS based) that have vastly more processing power than the first IBM Intel based PCs. If your motherboard is NOT in a Faraday Cage, it periodically attempts to connect wirelessly regardless of the state of your Windows wireless drivers.
What Snowden has leaked about the NSA and GCHQ is largely YEARS out-of-date, and only a fraction of what these intelligence agencies actually do.
But again, the really devious clever stuff is not aimed at YOU, but in-case the PC ends up in a 'sensitive' foreign location. YOU are tracked far better by Facebook, Google etc. But regardless your PC is designed and built with all these spying mechanisms actively in place. Some of them will normally be SUBVERTED for commercial purposes, hence this story.
Sorry for including a secret software installation tool. Here, run this binary executable and I promise it'll make everything better.
So, in this case, adding a security feature means opening the machine up to third party hacking.
Wouldn't it be great to have a Slashdot Headline so wrong, it literally and unambiguously contradicts itself?
LIke, say, that a claiming that a wipe was complete, while also claiming that software persisted? Not very complete, eh?
The Malware's baked-in-goodness from the factory!
taskkill /IM LenovoUpdate.exe /T /F /IM LenovoCheck.exe /T /F
taskkill
Problem solved.
I'm trying to figure out how to dual boot linux along with windows and, separetaly dual boot linux on my chromebook. The problem with the chromebook is that every time it starts it puts up what every refers to as the "scary screen" and tells you to press space bar to wipe your computer back top a locked down chromebook. the early chromebooks had a hardware switch to lock that wipe from happening but the newer ones can do the wipe under software control so they dangerous: anyone rebooting your computer might casually wipe the linux partition. I with there was a way to safely set up a dual booted chromebook. (currently I use crubuntu which is not safe, and breaks occasioanlly when chromeOS updates itself automatically. )
likewise my dual booted linux/windows machine defaults to the windows boot and I don't see any way to tell the bios to do anything else by default. you can get to linux by escaping into the bios and selecting it. but I've not figured out how to make linux the default. microsoft seems to want to be the lead dog here.
I'm thinking there must be a way to edit the MBR from linux so that it gives me a menu a grub menu at boot time to select who boots. However I'm also scared of tinkering with that because I'm afraid it might be coupled to the windows recovery partition. I get this feeling because like this lenovo bios thing, it's clear that it's HP and not microsoft that generates the recovery management process.
Can we ban this spamming chucklefuck?
"Lenovo Installed Malware On Laptops That Persisted After Complete Wipes"
FTFY
Just cruising through this digital world at 33 1/3 rpm...
I guess those wipes weren't complete then, were they?
Does someone know if this affects free (as in freedom) vendors like Think Penguin, whose laptops I think are repurposed Lenovo ThinkPads?
But the real question is, does the data persist after multiple wipes? If so, they must only be using 1-ply paper.
That is so unethical that I will never buy another product that features the Lenovo brand name.
the Communist Chinese army (aka the real owners of Lenovo) and is shocked to find persistent malware??????
I would not trust the ICs in a Lenovo machine to be free of embedded hardware-based exploits. Even the NIC in such a system could contain its own embedded ARM with a TCP/IP stack and some nefarious embedded code. The US government should never have enabled some of the big US tech firms to sell-out to the Chinese government like this, and other Western nations should similarly have resisted greed and kept control of their tech. Technology WAS the thing that kept the West safe through the Cold War.
This will be used by at least one manufacturer to implement gradual device failure shortly after warranty.
Um, honestly I have a hard time getting upset over #1. If you can't trust the BIOS - the software that by its very nature has unrestricted access to every aspect of your computer and is responsible for loading the OS itself, then you're already screwed. Full Stop.
#2 on the other hand.... yeah, that's pretty much evidence that we can't trust the BIOS. See my previous point.
As for
>We would not be complaining about #2 if Lenovo was installing a fix for a video driver that they knew caused lock-ups on their hardware.
Yes, we would. We very much would. Such a "fix" would almost certainly end up locking you into one particular driver version, "helpfully" rolling back any newer driver you installed to fix additional issues/add new features/enhance performance. Presumably any Lenovo-released driver updates would update the BIOS as well, but let's be honest - when's the last time you saw a laptop manufacturer release up to date drivers, especially for a model they're no longer producing?
--- Most topics have many sides worth arguing, allow me to take one opposite you.
Jesus's definition of the scope of "love your neighbor" through his illustration of the good Samaritan is plenty anti-racist.--Luke 10:25-37.
You are all cows. Cows say moo. MOOOOOOO! MOOOOOOO! Moo cows MOOOOOO! Moo say the cows. YOU COWS!!