Slashdot Mirror

← Back to Stories (view on slashdot.org)

Lenovo Installed Software On Laptops That Persisted After Complete Wipes

Posted by Soulskill on from the learned-nothing-from-superfish dept.

An anonymous reader writes: The Next Web has confirmed reports from owners of Lenovo laptops that the company used a BIOS feature to install its software on the laptops even if a user wiped a device clean and reinstalled the operating system. "If Windows 7 or 8 is installed, the BIOS of the laptop checks 'C:\Windows\system32\autochk.exe' to see if it's a Microsoft file or a Lenovo-signed one, then overwrites the file with its own. Then, when the modified autochk file is executed on boot, another two files LenovoUpdate.exe and LenovoCheck.exe are created, which set up a service and download files when connected to the internet." Lenovo has published a patch to remove this functionality. The article notes that this technique seems to be sanctioned by a Microsoft policy. "Manufacturers are obligated to ensure that the mechanism can be updated if an attack is discovered and should be removable by the user, but the rules outlined in the document are fairly loose and don't require the OEM to notify the owner of the laptop that such a mechanism is in place."

16 of 163 comments (clear)

  1. Simple, no malice from Lenovo by jkrise · · Score: 4, Funny

    When Windows auto-updates go horribly wrong, almost all users blame the h/w vendor, not Microsoft. So Lenovo uses this BIOS trick to protect their reputation. Why is this being depicted as malicious behaviour?

    --
    If you keep throwing chairs, one day you'll break windows....
    1. Re:Simple, no malice from Lenovo by Djoulihen · · Score: 5, Insightful

      The problem is that this feature mostly targets users who are trying to get rid of lenovo software. On a laptop you would normally restore your system or reinstall windows using the recovery partition which is full of vendor-added software. If you went through the trouble of installing a clean version of windows (by finding an OEM install of windows you can use your key with) it probably means that you expect your installation to be clean of any lenovo software. But guess what, you still end up with Lenovo software installed behind your back. I'm not saying there is absolutely no good reason to have the Lenovo software installed, but they could at least prompt you with a message like "We detected that you are running a fresh installation of windows, would you like to install our software to improve the performances of your computer and fix known hardware problems ?". Then it's your choice to go along with their software or handle the possible windows update mess yourself like a responsible geek.

    2. Re:Simple, no malice from Lenovo by Impy+the+Impiuos+Imp · · Score: 5, Funny

      You must be newer. He was making a sarcasm.

      --
      (-1: Post disagrees with my already-settled worldview) is not a valid mod option.
    3. Re:Simple, no malice from Lenovo by Just+Some+Guy · · Score: 4, Insightful

      but they could at least prompt you with a message like "We detected that you are running a fresh installation of windows, would you like to install our software to improve the performances of your computer and fix known hardware problems ?"

      Yeah, no. Because even then they're injecting unknown code into your otherwise pristine environment; that dialog ain't gonna display itself.

      In the situation where the user has explicitly gone out of their way to install a clean OS, it's a fairly safe bet that they're expecting to boot into a clean freaking OS, not a "mostly clean except what the hardware vendor dicked around with" system. I don't want the Western Digital BIOS injecting a SATA driver update, or my keyboard injecting a keyboard driver update, or my laptop injecting a laptop driver update. If I'm capable of laying down a clean image, I'm capable of installing all that stuff myself if I want it.

      --
      Dewey, what part of this looks like authorities should be involved?
  2. Fuck Lenovo by bazmail · · Score: 4, Interesting

    Never buying from that company again and will, in my capacity as family tech support guy, ensure that nobody in my family buys one. Wow. That company cannot die quick enough.

    1. Re:Fuck Lenovo by Lumpy · · Score: 5, Informative

      Yep My Thinkpad X250 has this and there is a bios update to fix it.

      --
      Do not look at laser with remaining good eye.
  3. Windows Platform Binary Table by jones_supa · · Score: 5, Informative

    This is actually a mechanism called Windows Platform Binary Table (WPBT).

    More information can be found in the Microsoft WPBT whitepaper:

    "This paper describes the format of a Windows Platform Binary Table (WPBT). The WPBT is a fixed Advanced Configuration and Power Interface (ACPI) table that enables boot firmware to provide Windows with a platform binary that the operating system can execute. The binary handoff medium is physical memory, allowing the boot firmware to provide the platform binary without modifying the Windows image on disk. In the initial version, the WPBT simply contains a physical address pointer to a flat, Portable Executable (PE) image that has been copied to physical memory. The WPBT is extensible, allowing the layout of published platform binaries to be more complex in future versions and allowing the support of more than one binary type.

    It is expected that the binary pointed to by the WPBT is part of the boot firmware ROM image. The binary can be shadowed to physical memory as part of the initial bootstrap of the boot firmware, or it can be loaded into physical memory by extensible boot firmware code prior to executing any operating system code. A boot firmware component would create the WPBT based on the location of the platform binary. During operating system initialization, Windows will read the WPBT to obtain the physical memory location of the platform binary. In the first version, the binary is required to be a native, user-mode application that is executed by the Windows Session Manager during operating system initialization. Windows will write the flat image to disk, and the Session Manager will launch the process. Windows may reclaim the physical memory described in the WPBT.

    If Windows observes a WPBT during operating system initialization, it will attempt to use an ACPI control method to communicate binary execution status back to the platform."

    1. Re:Windows Platform Binary Table by mythosaz · · Score: 4, Insightful

      In short then, the summary is wrong.

      Windows, not Lenovo, installs software on Lenovo laptops, by requesting the software from compatible hardware.

    2. Re:Windows Platform Binary Table by MobyDisk · · Score: 4, Informative

      Both are to blame because there are 2 distinct problems here:

      1. Microsoft trusts BIOS firmware enough to allow it to install arbitrary software on the machine.
      2. Lenovo BIOS miuses the feature to install crapware.

      We would not be complaining about #1 if Windows required user confirmation before doing this.
      We would not be complaining about #2 if Lenovo was installing a fix for a video driver that they knew caused lock-ups on their hardware.

      Technically though, the BIOS could probably do this even without Microsoft's help, although it would be much tougher to implement.

  4. Not sure if Google abandoned Lenovo... by __aaclcg7560 · · Score: 4, Interesting

    When I briefly worked inventory in 2008, Google management was thinking of abandoning Lenovo laptops as they kept finding backdoors for Chinese hackers in the BIOS. Not sure if they ever did. On the few contract assignments I've done for Google since then, everyone I worked with had a MacBook Pro laptop.

  5. Re:China ... by 0123456 · · Score: 5, Funny

    Sorry, but this is what happens when you let a country under the sway of a totalitarian government build you computers.

    But isn't Lenovo based in China these days, not America?

  6. Re:China ... by Anonymous Coward · · Score: 5, Funny

    Tell me your thoughts on the NSA and FBI please

    Do NOT buy an NSA or FBI laptop.

  7. LoJack for Laptops does this... by mlts · · Score: 4, Interesting

    It isn't just Lenovo. On most major brands of PC laptops, there is a BIOS setting that once set, can't be unset, which either enables LoJack for Laptops permanently, or permanently disables it. If it is set, it will always load the LoJack executables when Windows is installed, even if the hard disk is blank and the install media is clean.

    Of course, this is a mechanism that can be both used for good or ill... I wouldn't be surprised to see BIOS attacks that allow an attacker to flash a Trojan dropper which will always be present even on a reinstall with the only fix being either a firmware upgrade (if the attacker didn't already block that), or replacement hardware. The only real way to prevent it is to virtualize everything, with the bare metal OS as thin as possible [1].

    [1]: Would be nice to see something like VMWare ESXi, except with the ability to use the console graphically, one step up from a dumb terminal.

  8. Re:Lenovo by MachineShedFred · · Score: 5, Funny

    ... install Windows ...

    I think I just found how to fix it. Don't install Windows!

    --
    Slashdot still doesnâ(TM)t support Unicode after it was added to the HTML standard in 1997.
  9. Re:Licensing agreement by msauve · · Score: 4, Interesting
    It should mean that Lenovo gets prosecuted for violation of the CFAA:

    knowingly causes the transmission of a program, information, code, or command, and as a result of such conduct, intentionally causes damage without authorization, to a protected computer;

    Deliberately replacing a file I've installed with one of their own sure seems like intentional damage to me.

    --
    "National Security is the chief cause of national insecurity." - Celine's First Law
  10. Re:Lenovo by fuzzyfuzzyfungus · · Score: 4, Interesting

    On the plus side, the script kiddie might have a somewhat tricky time of it. On the minus side, if the OEM doesn't cave, or is actively hostile, you are also going to have a nasty time of it.

    Suitably recent Intel CPUs have 'Intel boot guard'(Just above the middle of page 4). Apparently, in practice, basically all the vendors ship in 'Verified boot' mode. Their public key is fused in to the silicon at the factory; and if the appropriate private key wasn't used to sign the firmware, no dice.

    The 'measured boot' capability is a bit more interesting; but largely moot because nobody uses it. I wouldn't put it past an OEM to somehow screw this up; but all reasonably contemporary laptops are not going to take kindly to 3rd party firmware.