Lenovo Installed Software On Laptops That Persisted After Complete Wipes

An anonymous reader writes: The Next Web has confirmed reports from owners of Lenovo laptops that the company used a BIOS feature to install its software on the laptops even if a user wiped a device clean and reinstalled the operating system. "If Windows 7 or 8 is installed, the BIOS of the laptop checks 'C:\Windows\system32\autochk.exe' to see if it's a Microsoft file or a Lenovo-signed one, then overwrites the file with its own. Then, when the modified autochk file is executed on boot, another two files LenovoUpdate.exe and LenovoCheck.exe are created, which set up a service and download files when connected to the internet." Lenovo has published a patch to remove this functionality. The article notes that this technique seems to be sanctioned by a Microsoft policy. "Manufacturers are obligated to ensure that the mechanism can be updated if an attack is discovered and should be removable by the user, but the rules outlined in the document are fairly loose and don't require the OEM to notify the owner of the laptop that such a mechanism is in place."

Windows Platform Binary Table

[jones_supa]

This is actually a mechanism called Windows Platform Binary Table (WPBT).

More information can be found in the Microsoft WPBT whitepaper:

"This paper describes the format of a Windows Platform Binary Table (WPBT). The WPBT is a fixed Advanced Configuration and Power Interface (ACPI) table that enables boot firmware to provide Windows with a platform binary that the operating system can execute. The binary handoff medium is physical memory, allowing the boot firmware to provide the platform binary without modifying the Windows image on disk. In the initial version, the WPBT simply contains a physical address pointer to a flat, Portable Executable (PE) image that has been copied to physical memory. The WPBT is extensible, allowing the layout of published platform binaries to be more complex in future versions and allowing the support of more than one binary type.

It is expected that the binary pointed to by the WPBT is part of the boot firmware ROM image. The binary can be shadowed to physical memory as part of the initial bootstrap of the boot firmware, or it can be loaded into physical memory by extensible boot firmware code prior to executing any operating system code. A boot firmware component would create the WPBT based on the location of the platform binary. During operating system initialization, Windows will read the WPBT to obtain the physical memory location of the platform binary. In the first version, the binary is required to be a native, user-mode application that is executed by the Windows Session Manager during operating system initialization. Windows will write the flat image to disk, and the Session Manager will launch the process. Windows may reclaim the physical memory described in the WPBT.

If Windows observes a WPBT during operating system initialization, it will attempt to use an ACPI control method to communicate binary execution status back to the platform."

Re:Windows Platform Binary Table

[MobyDisk]

Both are to blame because there are 2 distinct problems here:

1. Microsoft trusts BIOS firmware enough to allow it to install arbitrary software on the machine.
2. Lenovo BIOS miuses the feature to install crapware.

We would not be complaining about #1 if Windows required user confirmation before doing this.
We would not be complaining about #2 if Lenovo was installing a fix for a video driver that they knew caused lock-ups on their hardware.

Technically though, the BIOS could probably do this even without Microsoft's help, although it would be much tougher to implement.

Re:Fuck Lenovo

[XanC]

All these issues have been with the "consumer"-grade cheap laptops which have always been garbage, right? I don't think any of them have happened on Thinkpads.

Details missing...

[ad454]

When does the bios install the files, at boot time, or when the OS is running?

If at boot, this should require bios drivers for read+write ntfs filesystem support in order to know where in the primary drive the bios needs to install the files, which means the bios can hold a much larger amount of storage then expected.

If when the OS is running, this opens up the potential for many new scarier exploits and backdoors, even for a more secure OS with different file systems, such as Linux or *BSD, beyond just storage, such as memory and network access.

Does this still work with FDE (Full Disk Encryption), such as bitlocker, truecrypt, bestcrypt, pgpdisk, etc.?

Re:Fuck Lenovo

[Lumpy]

Yep My Thinkpad X250 has this and there is a bios update to fix it.

Re:Better than evil command line Linux!

[MagickalMyst]

Agreed. All unsubscribed adverts are scummy.

Re:Fuck Lenovo

[Baloroth]

Really? Because literally everything I've seen about it says none of the Think series are affected in any way. None of the thinkpads are listed on Lenovo's download page (and in fact the initial advisory specifically states none of the Think-branded laptops are affected).

Re:Lenovo

[adamstew]

This has little to do with Intel CPUs and everything to do with Intel Chipsets. The CPUs are interchangeable, but the chipsets on the motherboard are not. It's the chipset that is fused with the manufacturer's public key. The chipset then verifies the FIrmware/EFI/BIOS software.