Slashdot Mirror

← Back to Stories (view on slashdot.org)

Yet Another Compromising Preinstalled "Glitch" In Lenovo Laptops

Posted by timothy on from the hey-stop-catching-us! dept.

New submitter execthis writes: Japanese broadcaster NHK is reporting that yet another privacy/security-compromising "glitch" has been found to exist in preinstalled software on Lenovo laptops. The article states that the glitch was found in Spring and that in late July Lenovo began releasing a program to uninstall the difficult-to-remove software. The article does not specify, but it could be referring to a BIOS utility called Lenovo Service Engine (LSE) for which Lenovo has released a security advisory with links to removal tools for various models.

34 of 89 comments (clear)

  1. Re: Who would have thought there was more? by Anonymous Coward · · Score: 1

    Lenovo is now a puppet for the Chinese government. Of course they will have backdoor to spy on you.

  2. Re:Who would have thought there was more? by Z00L00K · · Score: 5, Insightful

    We are just seeing the tip of an iceberg here - we can't trust our computers anymore.

    --
    If builders built buildings the way programmers wrote programs, then the first woodpecker would destroy civilization.
  3. Lenovo Ideacenter spyware too? by Anonymous Coward · · Score: 1

    Are their PC's based on their laptops affected too? Stuff like the Idea Center?

    IMHO, Lenovo are a piece of shit, I have an ideacenter of theirs and it won't switch on unless you unplug the network cable and power, press 'on' a few times, them plug them back in and press on. This is just yet another reason I won't buy any of their kit, PC, Android, phone.

    And where exactly are the privacy laws ?: "The utility also sends non-personally identifiable system data to Lenovo servers"

  4. Shitty article by buckfeta2014 · · Score: 5, Informative

    Why even post this article. It's 2 lines. "Oh we found something", well good for you, how about telling us what you actually found?

    --
    Buck Feta. You know what to do.
    1. Re:Shitty article by Incadenza · · Score: 1

      Why even post a summary that is longer than the article? Doesn't make sense.

    2. Re:Shitty article by LVSlushdat · · Score: 1

      because.

      BECAUSE this is /. and THATS what /. does.......

      --
      THANK YOU, Edward Snowden!! Americans owe you a debt of gratitude (whether they know it or not..)
    3. Re:Shitty article by execthis · · Score: 1

      I couldn't find any other news sites that had published anything about this. Also, NHK has shortened the article for some reason since I first saw it.

      However another good source of info is:

      How to Remove Lenovo's Alleged 'Bootkit' Software

      and also:

      Windows 10 Privacy Checklist mentions this issue

  5. Re:Who would have thought there was more? by PolygamousRanchKid+ · · Score: 1

    we can't trust our computers anymore

    Our computers? Even though I "bought" my computer . . . I'm not sure that I actually "own" it. There is probably a legalese expression in the fine print pf the documentation somewhere, that the manufacturer has a right to install any sort of spyware that they want on "my" computer.

    --
    Schroedinger's Brexit: The UK is both in and out of the EU at the same time!
  6. Can't trust LOCKS anymore by Anonymous Coward · · Score: 2, Insightful

    FFS, courtesy of the TSA backdooring luggage locks, even the locks are worthless these days.
    http://boingboing.net/2015/08/21/make-your-own-tsa-universal-lu.html

    Spotify decides to help itself to all your data on your phone on an upgrade. And Google make a phone that permits that.

    Samsung installs spyware/helpware on their phones and tablets that let it take over the tablet remotely and do *everything*, read everything, fake SMSs intercept calls, the lot. Hackers backdoor this and suddenly people are aware their stuff is just spyware only because hackers 'misuse' it, as if that feature was ever useful.

    HTTPS/TLS is backdoored because certificate authorities are NSA backdoors.

    Uber has its 'god' app that spies on its customers wherever they go and whoever they meet with.

    It's like governments have abrogated their duty to protect people from this kind of shit and companies like Uber and Lenovo are having a field day.

    1. Re:Can't trust LOCKS anymore by ShaunC · · Score: 1

      It's like governments have abrogated their duty to protect people from this kind of shit and companies like Uber and Lenovo are having a field day.

      Governments love this shit. The more data Uber and Lenovo and Samsung and Spotify collect about you, the more data the government can subpoena (or just take without a subpoena). These companies have become, in effect, agents of the government.

      --
      Thanks to the War on Drugs, it's easier to buy meth than it is to buy cold medicine!
    2. Re: Can't trust LOCKS anymore by Karlt1 · · Score: 1

      Spotify decides to help itself to all your data on your phone on an upgrade. And Google make a phone that permits that.

      Just checked my settings....Spotify has no access to my GPS, local contacts, or photos. I don't understand what this particular out cry was. Spotify can ask for whatever information it desires, but users are free to just say "no" when my phone asks me would I like to give it access.

  7. Its a dumb feature by Karmashock · · Score: 5, Interesting

    The last thing I want is my firmware getting updated automatically.

    I'd really like for all writable memory in my computer to be removable. And that includes the bios memory. Have it be a micro SD card or something.

    Here someone will say it will make the machine take 1 second longer to boot up or OH NOES the mobo will cost 10 cents more to make. But its worth it. It means you can audit the system to check for viruses really easily. You pull the chip, plug it into a clean system, and scan it. Or if you prefer... wipe it. Write the whole thing with ones then zeros... and then flash it with a proper version of the bios.

    And this also means that corrupted bios memory is less of a problem. You can pull the chip. Sure, if the processors or something else is damaged then this won't help. But i've had a few mobos that were totally fine except the bios was so corrupt you couldn't flash a fresh version. With this change, that problem is gone.

    Cue people saying "you can't do that because no one has done it that way yet"... climb a fucking tree so I can throw bananas at you then, you filthy animal! :-D

    --
    I've decided to stop wasting my time responding to AC trolls/sockpuppets... so if you want a response from me... login.
    1. Re:Its a dumb feature by drinkypoo · · Score: 2

      What I want way more than removable is I want bios write enable jumpers back. Some motherboards have them, but they are rare. I buy Gigabyte boards, so they have dual BIOS, so I'm not worried about my BIOS being taken out. If I had a WP jumper, I wouldn't be concerned about it being maliciously overwritten, either.

      --
      "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
    2. Re:Its a dumb feature by drinkypoo · · Score: 1

      A write protect jumper would be an improvement, but not a solution. Once you have a compromised BIOS, it is very difficult to detect the infection and practically impossible to clean it

      If I have control over the WE line on the flash, who cares? But if that's your criteria, why not just give JTAG or similar access to the flash? The pins would be cheaper than socketing the chip, using an MMC, whatever.

      --
      "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
    3. Re:Its a dumb feature by wbr1 · · Score: 1

      There were and maybe stillbare, enthusiast mobos with two BIOS chips. Fry one you could flash the other. Could also open up easy BIOS hacking or alt replacements.

      --
      Silence is a state of mime.
    4. Re:Its a dumb feature by drinkypoo · · Score: 1

      There were and maybe stillbare, enthusiast mobos with two BIOS chips. Fry one you could flash the other.

      Gigabyte used to do that, but I'm pretty sure they just use one big bios chip now. If the first bios fails to load they just tie one address line high (or low, but I think it's high) and try to load again.

      --
      "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
    5. Re:Its a dumb feature by Karmashock · · Score: 4, Interesting

      I want the want the writable memory chip to be a micro SD card. or something equally easy to plug into another machine to independently wipe it and verify that its wiped.

      Let me add some additional benefits of this... DRIVERS.

      If we use an SD card, then we can put more stuff on it than just the bios. OR the bios could be fucking massive. Either concept has some interesting possibilities.

      Imagine if the OS queried the motherboard for drivers. We could store viable copies of the drivers the system needs to use most of the installed hardware. That's nifty. Reinstall... no need to go hunting around for the right driver files. Automatically installed... actually. Not in theory... but actually. Anyone that has built a lot of machines knows what I'm talking about.

      And a giant bios could mean the bios could have a lot of additional functionality built into it. Not just the man behind the curtain.

      --
      I've decided to stop wasting my time responding to AC trolls/sockpuppets... so if you want a response from me... login.
    6. Re:Its a dumb feature by wbr1 · · Score: 1

      And guess what... The preloaded in flash driver for our USB 3 controller includes.....ad blaster rootkit 2.0a

      --
      Silence is a state of mime.
    7. Re:Its a dumb feature by Karmashock · · Score: 1

      Because I want to pull it.

      As to the added cost... I'll pay it. Fucking charge me for it. I'll pay the extra 10 dollars for the feature. Other people don't want to pay it? Don't. I want that feature. Its well worth the 2~10 dollars it would cost to do that.

      --
      I've decided to stop wasting my time responding to AC trolls/sockpuppets... so if you want a response from me... login.
    8. Re:Its a dumb feature by Karmashock · · Score: 1

      ... yes if you drivers are infected then you'll have infected your machine. But if you have version control and known good copies then you can negate the issue by overwriting everything with known goods.

      You can erase and verify the erasure of all writable memory, then write the known good bios and drivers.

      Make constructive comments please. Anyone can gainsay anything. You can gainsay water, air, the Sun...its not hard to do. Be constructive. Its the only potentially useful thing.

      --
      I've decided to stop wasting my time responding to AC trolls/sockpuppets... so if you want a response from me... login.
    9. Re:Its a dumb feature by Karmashock · · Score: 1

      http://slashdot.org/comments.p...
      "Cue people saying "you can't do that because no one has done it that way yet""

      I can't tell if you're kidding... or if I'm psychic but forgot to buy bananas.

      --
      I've decided to stop wasting my time responding to AC trolls/sockpuppets... so if you want a response from me... login.
    10. Re:Its a dumb feature by Antique+Geekmeister · · Score: 1

      As soon as you put "removable" BIOS chips back, you have to provide physical access to that chip, you have to provide board space to mount it, it increases the price of the motherboard, and most important to security, it provides the possibility of corrupt vendor replacement of the BIOS chip with their _own_ socket replaced chip with only poweroff physical access, not console access to run the drivers or work with attached boot media.

      I'm not saying this is a greater attack vector: but it's one that has to be considered for high security systems.

    11. Re:Its a dumb feature by Karmashock · · Score: 1

      I would need to be able to physically pull the bios memory chip and plug it into another machine... and write lock it when I wasn't messing with it... to even begin to feel comfortable with this feature.

      --
      I've decided to stop wasting my time responding to AC trolls/sockpuppets... so if you want a response from me... login.
    12. Re:Its a dumb feature by Karmashock · · Score: 1

      Not even remotely similar.

      --
      I've decided to stop wasting my time responding to AC trolls/sockpuppets... so if you want a response from me... login.
    13. Re:Its a dumb feature by Agripa · · Score: 1

      The write protect jumpers were originally used because Flash memory at the time required an external high voltage supply for programming and the cheapest way to control this was through a physical jumper.

      I agree that controlling this through hardware is a good idea. The programming supply is no longer available for this but the write protect jumper could block the write strobe instead. Unfortunately some newer Flash memories do not have a separate write strobe either.

  8. Re: Who would have thought there was more? by Crashmarik · · Score: 1

    Easy fix: wipe the system and install Linux. No self respecting /. reader runs an OS provided by the machine manufacturer, with all the crapware preinstalled.

    That goes for Lenovo, Dell, HP, Asus, etc -- all of them.

    Help your friends and family get converted over to OpenSource!

    LOL and then watch the UEFI bios reinstall everything without telling you

    http://www.techworm.net/2015/0...

  9. Re: Who would have thought there was more? by RoverDaddy · · Score: 5, Informative

    The BIOS isn't installing apps to the hard drive (give it time?) As AC indicates this is a Windows-only issue. the BIOS -holds- an application that Windows helpfully detects and installs into itself on behalf of the hardware. A Linux system will totally ignore the app (which is Windows-specific anyway!!) sitting in the BIOS.

    --
    RETURN without GOSUB in line 1050
  10. Re:Who would have thought there was more? by drinkypoo · · Score: 1

    We are just seeing the tip of an iceberg here - we can't trust our computers anymore.

    You haven't been able to trust your computer since flash bios and/or programmable CPU microcode. If you've been trusting your computer between then and now, you're a rube.

    --
    "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
  11. Simpsons did it by gavron · · Score: 1

    Covered on slashdot ten days ago:
    http://tech.slashdot.org/story...

    "Those who do not learn from history are doomed to repeat it" - Santayana

    E

  12. Re: Who would have thought there was more? by eggnet · · Score: 1

    If you have windows 7 the bios replaces the file. The feature you mention is only for windows 8 and 10.

  13. The real glitch is... by davidwr · · Score: 1

    ... it wasn't hidden well enough and somebody noticed.

    --
    Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
  14. Re:Who would have thought there was more? by arglebargle_xiv · · Score: 1

    Funny thing about this, I have a business-grade Lenovo laptop, and whenever one of these stories has come out I've looked to see whether I've got whatever backdoor/malware is being talked about on my machine. Nothing. No trace of any of them. So it seems the way to avoid these things is to buy a business-market Lenovo PC, not a home/casual-user market one. Backdooring large businesses seems to be something they don't want to risk...

    (One possible reason for this is that apart from the political repercussions, you're paying a significant premium for their business-grade hardware, so they don't need to subsidise it with adware and other crap).

  15. Re:Who would have thought there was more? by Z00L00K · · Score: 1

    Backdooring business is risky but also very profitable, just because you didn't see it doesn't mean that it's non-existent. It may just mean that it needs a specific trigger to get activated.

    --
    If builders built buildings the way programmers wrote programs, then the first woodpecker would destroy civilization.
  16. Lessons won the hard way by villageelder1 · · Score: 1

    Lesson to the wise: 1) Buy good, newish, used computers at a large discount off new prices and save money 2) Wipe the hard drive clean (or install a new one) 3) Install the OS of your choice (a Linux version is best) and save more money, and lastly, 4) Install whatever applications programs you want from a trusted Linux repository onto your hard drive and save even more money. End result: The only software residing on your "new" computer should be software that you want or don't mind having. Unfortunately, if you want something done correctly you usually must do it yourself.