Slashdot Mirror
Lenovo Installed Software On Laptops That Persisted After Complete Wipes
An anonymous reader writes: The Next Web has confirmed reports from owners of Lenovo laptops that the company used a BIOS feature to install its software on the laptops even if a user wiped a device clean and reinstalled the operating system. "If Windows 7 or 8 is installed, the BIOS of the laptop checks 'C:\Windows\system32\autochk.exe' to see if it's a Microsoft file or a Lenovo-signed one, then overwrites the file with its own. Then, when the modified autochk file is executed on boot, another two files LenovoUpdate.exe and LenovoCheck.exe are created, which set up a service and download files when connected to the internet." Lenovo has published a patch to remove this functionality. The article notes that this technique seems to be sanctioned by a Microsoft policy. "Manufacturers are obligated to ensure that the mechanism can be updated if an attack is discovered and should be removable by the user, but the rules outlined in the document are fairly loose and don't require the OEM to notify the owner of the laptop that such a mechanism is in place."
When Windows auto-updates go horribly wrong, almost all users blame the h/w vendor, not Microsoft. So Lenovo uses this BIOS trick to protect their reputation. Why is this being depicted as malicious behaviour?
If you keep throwing chairs, one day you'll break windows....
What is the world coming to?" It seems, no matter how obviously bad an idea is, somebody has to try it.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
Nevermind that in creating such a thing they've created a gigantic security hole in the hardware itself that an attacker could potentially use to make sure your computer is a permanent part of someones botnet!
Are YOU using the TOOL, or is the TOOL using YOU? Think about it!
Never buying from that company again and will, in my capacity as family tech support guy, ensure that nobody in my family buys one. Wow. That company cannot die quick enough.
This is actually a mechanism called Windows Platform Binary Table (WPBT).
More information can be found in the Microsoft WPBT whitepaper:
"This paper describes the format of a Windows Platform Binary Table (WPBT). The WPBT is a fixed Advanced Configuration and Power Interface (ACPI) table that enables boot firmware to provide Windows with a platform binary that the operating system can execute. The binary handoff medium is physical memory, allowing the boot firmware to provide the platform binary without modifying the Windows image on disk. In the initial version, the WPBT simply contains a physical address pointer to a flat, Portable Executable (PE) image that has been copied to physical memory. The WPBT is extensible, allowing the layout of published platform binaries to be more complex in future versions and allowing the support of more than one binary type.
It is expected that the binary pointed to by the WPBT is part of the boot firmware ROM image. The binary can be shadowed to physical memory as part of the initial bootstrap of the boot firmware, or it can be loaded into physical memory by extensible boot firmware code prior to executing any operating system code. A boot firmware component would create the WPBT based on the location of the platform binary. During operating system initialization, Windows will read the WPBT to obtain the physical memory location of the platform binary. In the first version, the binary is required to be a native, user-mode application that is executed by the Windows Session Manager during operating system initialization. Windows will write the flat image to disk, and the Session Manager will launch the process. Windows may reclaim the physical memory described in the WPBT.
If Windows observes a WPBT during operating system initialization, it will attempt to use an ACPI control method to communicate binary execution status back to the platform."
When I briefly worked inventory in 2008, Google management was thinking of abandoning Lenovo laptops as they kept finding backdoors for Chinese hackers in the BIOS. Not sure if they ever did. On the few contract assignments I've done for Google since then, everyone I worked with had a MacBook Pro laptop.
Sorry, but this is what happens when you let a country under the sway of a totalitarian government build you computers.
But isn't Lenovo based in China these days, not America?
... as long as it's constrained to only device drivers. That way we're not stuck, especially considering people are ditching optical drives.
Buck Feta. You know what to do.
holy god, talk about going off on a tangent. Tell me your thoughts on the NSA and FBI please
When does the bios install the files, at boot time, or when the OS is running?
If at boot, this should require bios drivers for read+write ntfs filesystem support in order to know where in the primary drive the bios needs to install the files, which means the bios can hold a much larger amount of storage then expected.
If when the OS is running, this opens up the potential for many new scarier exploits and backdoors, even for a more secure OS with different file systems, such as Linux or *BSD, beyond just storage, such as memory and network access.
Does this still work with FDE (Full Disk Encryption), such as bitlocker, truecrypt, bestcrypt, pgpdisk, etc.?
Tell me your thoughts on the NSA and FBI please
Do NOT buy an NSA or FBI laptop.
Wiped, hell - this rig looks like you could replace the entire hard drive, install Windows, then the BIOS (or is it EFI?) injects its crap in anyway.
Not like *that* would never be abused by the first script kiddie to notice it...
Quo usque tandem abutere, Nimbus, patientia nostra?
Most of the time I roll my eyes at tangents, but with how few people care about the NSA issue, I support this one.
Ubuntu's shoveling adverts at you at every angle is pretty scummy.
Do not look at laser with remaining good eye.
It isn't just Lenovo. On most major brands of PC laptops, there is a BIOS setting that once set, can't be unset, which either enables LoJack for Laptops permanently, or permanently disables it. If it is set, it will always load the LoJack executables when Windows is installed, even if the hard disk is blank and the install media is clean.
Of course, this is a mechanism that can be both used for good or ill... I wouldn't be surprised to see BIOS attacks that allow an attacker to flash a Trojan dropper which will always be present even on a reinstall with the only fix being either a firmware upgrade (if the attacker didn't already block that), or replacement hardware. The only real way to prevent it is to virtualize everything, with the bare metal OS as thin as possible [1].
[1]: Would be nice to see something like VMWare ESXi, except with the ability to use the console graphically, one step up from a dumb terminal.
Agreed. All unsubscribed adverts are scummy.
Political correctness is really just herd psychology pushed by insecure people who desperately seek social conformity.
RTFA, numbnuts.
... install Windows ...
I think I just found how to fix it. Don't install Windows!
Slashdot still doesnâ(TM)t support Unicode after it was added to the HTML standard in 1997.
As I've been saying for the past 6 or 7 years: Sensible folks don't use Ubuntu.
(I never have, and never will.)
There are only about 50 other "major" distros out there to choose from. And hundreds of lesser ones.
Il n'y a pas de Planet B.
"If Windows 7 or 8 is installed, the BIOS of the laptop checks 'C:\Windows\system32\autochk.exe' to see if it's a Microsoft file or a Lenovo-signed one, then overwrites the file with its own.
Since this doesn't require my agreement, then does that mean I'm unrestricted as to what I can do with it? Namely, reverse compiling, distributing, etc?
~Loyal
I aim to misbehave.
The root problem is the people who design a feature to allow code to persist through a wipe and don't see that as a huge security hole!
Security is simple is you care about it, things like a BIOS update shouldn't be possible without a physical action by the user. For example a jumper on the motherboard has to be installed during the boot (which can easily be extended to a button on the case) which would look for a specific file in a specific location and update the bios after confirming on screen with the user. The jumper would then have to be removed prior to the system booting normally.
Any feature that a good application can use to update your system, a bad application can use as well. To use a car analogy, a security "feature" that lets you unlock your car if you've lost your keys (which sounds useful on its face) - also allows a bad guy to unlock your car.
"Grab them by the pussy" -- President of the United States of America
As I've been saying for the past 6 or 7 years: Sensible folks don't use Ubuntu.
Why not? I use ubuntu daily on my laptop. I also run an ubuntu based cluster, and I've used plenty of AWS instances with ubuntu. I've never had adverts shovelled at me and it seems to work very well.
SJW n. One who posts facts.
Lenovo Installed Software Making Laptops Vulnerable to Hacking: Experts videoturkiye.Net http://www.videoturkiye.net/le...
According to the patch notes, it seems that Thinkpads are not affected. In face, even though Thinkpads are made by Lenovo, they can almost be considered a separate brand, closer to its IBM roots than to the other Lenovo's products.
Additionally, workstation-class laptops mostly target professional users that use whatever OS is needed for the job, and it is often Windows. Sometimes, if it is a company policy, you don't even have the choice.
They could be loading Adobe Flash
Sig Follows: "Suppose you were an idiot. And suppose you were a member of Congress. But I repeat myself." -- Mark Twain
On the plus side, the script kiddie might have a somewhat tricky time of it. On the minus side, if the OEM doesn't cave, or is actively hostile, you are also going to have a nasty time of it.
Suitably recent Intel CPUs have 'Intel boot guard'(Just above the middle of page 4). Apparently, in practice, basically all the vendors ship in 'Verified boot' mode. Their public key is fused in to the silicon at the factory; and if the appropriate private key wasn't used to sign the firmware, no dice.
The 'measured boot' capability is a bit more interesting; but largely moot because nobody uses it. I wouldn't put it past an OEM to somehow screw this up; but all reasonably contemporary laptops are not going to take kindly to 3rd party firmware.
What if Windows is installed in a non-standard path? Will this BIOS tool still be able to inject the stuff?
If builders built buildings the way programmers wrote programs, then the first woodpecker would destroy civilization.
The patch notes lie. Thinkpads are affected too.
Democracy is a sheep and two wolves deciding what to have for lunch. Freedom is a well armed sheep contesting the issue
Ubuntu Server, Kubuntu, and Xubuntu don't have the "shopping lens" that Ubuntu Unity has.
Back in 2011, I had a virus which persisted on my Blackberry after a full factory reset and clear. Nasty little bugger, also infected my Kindle, my wireless smart monitor and xbox, and a SecureRom bios secured machine. Sliced through it all like butter, and reinstalled itself even after full wipes.
I now carry only a laptop. No cell phones. No nothing. That kind of trouble's just too much for me.
Does that mean you can't buy a used Intel CPU and put it in a different brand's computer? Or does this only apply to laptop CPUs that are soldered in.
So, in this case, adding a security feature means opening the machine up to third party hacking.
trick question. Windows only installs on a standard path.
Sleep your way to a whiter smile...date a dentist!
The Malware's baked-in-goodness from the factory!
Not like *that* would never be abused by the first script kiddie [^h][^h][^h][^h][^h][^h][^h][^h]Government Agency to notice it...
FTFY.
Also, command line is not difficult to learn or use; and it is incredibly powerful.
Whoosh!
> I think I just found how to fix it. Don't install Windows!
The solution to so many life's problems.
pr0n - keeping monitor glass spotless since 1981.
Sorry, but this is what happens when you let a country under the sway of a totalitarian government build you computers.
I didn't know that Lenovo was built in the U.S.A.
Can you point to any information on that? Would be interesting to see a list of affected models.
holy god, talk about going off on a tangent. Tell me your thoughts on the NSA and FBI please
They're trying to close the gap with CIA, but they are not yet full up to speed on having big guys (nobody cares who they are until they put on the mask) crash their operation with no survivors.
How is the Riemann zeta function like Trump rallies? Both have an endless number of trivial zeros.
This has little to do with Intel CPUs and everything to do with Intel Chipsets. The CPUs are interchangeable, but the chipsets on the motherboard are not. It's the chipset that is fused with the manufacturer's public key. The chipset then verifies the FIrmware/EFI/BIOS software.
"Lenovo Installed Malware On Laptops That Persisted After Complete Wipes"
FTFY
Just cruising through this digital world at 33 1/3 rpm...
I agree, but I have the choice to use a different distro, and I do.
Still Ubuntu is nothing--- absolutely nothing--- compared to the steaming pile on a machine I just got from HP, which came with windows 8.1 preloaded.
For years, the sole windows installation I had on any machine was XP SP3. I can't believe how much worse windows has become over the years. Incredible levels of protection to make it hard to uninstall the crapware. Nagging pop-ups. Malware susceptibility (the computer had McAfee pre-installed, so I suppose I shouldn't be surprised).
And just as a simple example of why I prefer Linux --- try to find a way to switch the caps lock and left control keys, as I routinely do on Linux with just a couple of menu clicks. (Yes, it can be done on windows, but ...)
Oh well, they say windows 10 is better, even though it's a purpose-built advertising platform.
this is the first time i've seen bane posting on Slashdot.. Thank you, made my day :)
Just run Windows under a VM on top of some *nix.
This will be used by at least one manufacturer to implement gradual device failure shortly after warranty.
Personally I have found dual booting is pointless since unless you really steel yourself you end up predominately using the Microsoft OS which for avid gamers this is still the best OS (debatable) to use since "Games for Windows" are designed to be run on a Microsoft OS. Of course you could use Wine but that is debatable as well.
If you require a Microsoft OS for your work the assuming the PC is belongs to your work then you have no choice although you may be able to run a Linux distribution in a virtual machine. For home use the best choice would be to run a Microsoft OS and run Linux in a virtual machine or you could do it the other way around. For me I run Linux only on my PC's and never run a Microsoft OS since I am not a PC gamer although I do like gaming and I can pretty much find, normally free applications that are at least on par with most applications that run under a Microsoft OS.
There ain't no such thing as proprietary standards only proprietary formats. Standards are by definition open.
At least Lenovo gives you a GUI with Windows 8. On EVIL COMMAND LINE LINUX you're stuck with bad evil hard-to-use command lines. You should be thankful that Lenovo gives you this extra software as a bonus instead of forcing you to use an EVIL command line!
The troll is strong with this one or is this sarcasm.
There ain't no such thing as proprietary standards only proprietary formats. Standards are by definition open.
It seems you forgot the first rule of Windows - never use the even versions. Microsoft even went out of their way this last time and skipped version 9 in order to maintain consistency.
--- Most topics have many sides worth arguing, allow me to take one opposite you.
Um, honestly I have a hard time getting upset over #1. If you can't trust the BIOS - the software that by its very nature has unrestricted access to every aspect of your computer and is responsible for loading the OS itself, then you're already screwed. Full Stop.
#2 on the other hand.... yeah, that's pretty much evidence that we can't trust the BIOS. See my previous point.
As for
>We would not be complaining about #2 if Lenovo was installing a fix for a video driver that they knew caused lock-ups on their hardware.
Yes, we would. We very much would. Such a "fix" would almost certainly end up locking you into one particular driver version, "helpfully" rolling back any newer driver you installed to fix additional issues/add new features/enhance performance. Presumably any Lenovo-released driver updates would update the BIOS as well, but let's be honest - when's the last time you saw a laptop manufacturer release up to date drivers, especially for a model they're no longer producing?
--- Most topics have many sides worth arguing, allow me to take one opposite you.
Even if not, the USA is under the sway of the allegedly totalitarian Kingdom of Saudi Arabia. If it weren't for USA's energy imports, its foreign policy makers might have been less likely to overlook rampant Saudi discriminatory treatment of women.
Jesus's definition of the scope of "love your neighbor" through his illustration of the good Samaritan is plenty anti-racist.--Luke 10:25-37.