Slashdot Mirror
Lenovo Installed Software On Laptops That Persisted After Complete Wipes
An anonymous reader writes: The Next Web has confirmed reports from owners of Lenovo laptops that the company used a BIOS feature to install its software on the laptops even if a user wiped a device clean and reinstalled the operating system. "If Windows 7 or 8 is installed, the BIOS of the laptop checks 'C:\Windows\system32\autochk.exe' to see if it's a Microsoft file or a Lenovo-signed one, then overwrites the file with its own. Then, when the modified autochk file is executed on boot, another two files LenovoUpdate.exe and LenovoCheck.exe are created, which set up a service and download files when connected to the internet." Lenovo has published a patch to remove this functionality. The article notes that this technique seems to be sanctioned by a Microsoft policy. "Manufacturers are obligated to ensure that the mechanism can be updated if an attack is discovered and should be removable by the user, but the rules outlined in the document are fairly loose and don't require the OEM to notify the owner of the laptop that such a mechanism is in place."
When Windows auto-updates go horribly wrong, almost all users blame the h/w vendor, not Microsoft. So Lenovo uses this BIOS trick to protect their reputation. Why is this being depicted as malicious behaviour?
If you keep throwing chairs, one day you'll break windows....
What is the world coming to?" It seems, no matter how obviously bad an idea is, somebody has to try it.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
Nevermind that in creating such a thing they've created a gigantic security hole in the hardware itself that an attacker could potentially use to make sure your computer is a permanent part of someones botnet!
Are YOU using the TOOL, or is the TOOL using YOU? Think about it!
Never buying from that company again and will, in my capacity as family tech support guy, ensure that nobody in my family buys one. Wow. That company cannot die quick enough.
This is actually a mechanism called Windows Platform Binary Table (WPBT).
More information can be found in the Microsoft WPBT whitepaper:
"This paper describes the format of a Windows Platform Binary Table (WPBT). The WPBT is a fixed Advanced Configuration and Power Interface (ACPI) table that enables boot firmware to provide Windows with a platform binary that the operating system can execute. The binary handoff medium is physical memory, allowing the boot firmware to provide the platform binary without modifying the Windows image on disk. In the initial version, the WPBT simply contains a physical address pointer to a flat, Portable Executable (PE) image that has been copied to physical memory. The WPBT is extensible, allowing the layout of published platform binaries to be more complex in future versions and allowing the support of more than one binary type.
It is expected that the binary pointed to by the WPBT is part of the boot firmware ROM image. The binary can be shadowed to physical memory as part of the initial bootstrap of the boot firmware, or it can be loaded into physical memory by extensible boot firmware code prior to executing any operating system code. A boot firmware component would create the WPBT based on the location of the platform binary. During operating system initialization, Windows will read the WPBT to obtain the physical memory location of the platform binary. In the first version, the binary is required to be a native, user-mode application that is executed by the Windows Session Manager during operating system initialization. Windows will write the flat image to disk, and the Session Manager will launch the process. Windows may reclaim the physical memory described in the WPBT.
If Windows observes a WPBT during operating system initialization, it will attempt to use an ACPI control method to communicate binary execution status back to the platform."
When I briefly worked inventory in 2008, Google management was thinking of abandoning Lenovo laptops as they kept finding backdoors for Chinese hackers in the BIOS. Not sure if they ever did. On the few contract assignments I've done for Google since then, everyone I worked with had a MacBook Pro laptop.
Sorry, but this is what happens when you let a country under the sway of a totalitarian government build you computers.
But isn't Lenovo based in China these days, not America?
When does the bios install the files, at boot time, or when the OS is running?
If at boot, this should require bios drivers for read+write ntfs filesystem support in order to know where in the primary drive the bios needs to install the files, which means the bios can hold a much larger amount of storage then expected.
If when the OS is running, this opens up the potential for many new scarier exploits and backdoors, even for a more secure OS with different file systems, such as Linux or *BSD, beyond just storage, such as memory and network access.
Does this still work with FDE (Full Disk Encryption), such as bitlocker, truecrypt, bestcrypt, pgpdisk, etc.?
Tell me your thoughts on the NSA and FBI please
Do NOT buy an NSA or FBI laptop.
It isn't just Lenovo. On most major brands of PC laptops, there is a BIOS setting that once set, can't be unset, which either enables LoJack for Laptops permanently, or permanently disables it. If it is set, it will always load the LoJack executables when Windows is installed, even if the hard disk is blank and the install media is clean.
Of course, this is a mechanism that can be both used for good or ill... I wouldn't be surprised to see BIOS attacks that allow an attacker to flash a Trojan dropper which will always be present even on a reinstall with the only fix being either a firmware upgrade (if the attacker didn't already block that), or replacement hardware. The only real way to prevent it is to virtualize everything, with the bare metal OS as thin as possible [1].
[1]: Would be nice to see something like VMWare ESXi, except with the ability to use the console graphically, one step up from a dumb terminal.
... install Windows ...
I think I just found how to fix it. Don't install Windows!
Slashdot still doesnâ(TM)t support Unicode after it was added to the HTML standard in 1997.
"If Windows 7 or 8 is installed, the BIOS of the laptop checks 'C:\Windows\system32\autochk.exe' to see if it's a Microsoft file or a Lenovo-signed one, then overwrites the file with its own.
Since this doesn't require my agreement, then does that mean I'm unrestricted as to what I can do with it? Namely, reverse compiling, distributing, etc?
~Loyal
I aim to misbehave.
The root problem is the people who design a feature to allow code to persist through a wipe and don't see that as a huge security hole!
Security is simple is you care about it, things like a BIOS update shouldn't be possible without a physical action by the user. For example a jumper on the motherboard has to be installed during the boot (which can easily be extended to a button on the case) which would look for a specific file in a specific location and update the bios after confirming on screen with the user. The jumper would then have to be removed prior to the system booting normally.
Any feature that a good application can use to update your system, a bad application can use as well. To use a car analogy, a security "feature" that lets you unlock your car if you've lost your keys (which sounds useful on its face) - also allows a bad guy to unlock your car.
"Grab them by the pussy" -- President of the United States of America
They could be loading Adobe Flash
Sig Follows: "Suppose you were an idiot. And suppose you were a member of Congress. But I repeat myself." -- Mark Twain
On the plus side, the script kiddie might have a somewhat tricky time of it. On the minus side, if the OEM doesn't cave, or is actively hostile, you are also going to have a nasty time of it.
Suitably recent Intel CPUs have 'Intel boot guard'(Just above the middle of page 4). Apparently, in practice, basically all the vendors ship in 'Verified boot' mode. Their public key is fused in to the silicon at the factory; and if the appropriate private key wasn't used to sign the firmware, no dice.
The 'measured boot' capability is a bit more interesting; but largely moot because nobody uses it. I wouldn't put it past an OEM to somehow screw this up; but all reasonably contemporary laptops are not going to take kindly to 3rd party firmware.
What if Windows is installed in a non-standard path? Will this BIOS tool still be able to inject the stuff?
If builders built buildings the way programmers wrote programs, then the first woodpecker would destroy civilization.
> I think I just found how to fix it. Don't install Windows!
The solution to so many life's problems.
pr0n - keeping monitor glass spotless since 1981.
This has little to do with Intel CPUs and everything to do with Intel Chipsets. The CPUs are interchangeable, but the chipsets on the motherboard are not. It's the chipset that is fused with the manufacturer's public key. The chipset then verifies the FIrmware/EFI/BIOS software.