Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
×
Software Portables Security Windows

Lenovo Installed Software On Laptops That Persisted After Complete Wipes 163

An anonymous reader writes: The Next Web has confirmed reports from owners of Lenovo laptops that the company used a BIOS feature to install its software on the laptops even if a user wiped a device clean and reinstalled the operating system. "If Windows 7 or 8 is installed, the BIOS of the laptop checks 'C:\Windows\system32\autochk.exe' to see if it's a Microsoft file or a Lenovo-signed one, then overwrites the file with its own. Then, when the modified autochk file is executed on boot, another two files LenovoUpdate.exe and LenovoCheck.exe are created, which set up a service and download files when connected to the internet." Lenovo has published a patch to remove this functionality. The article notes that this technique seems to be sanctioned by a Microsoft policy. "Manufacturers are obligated to ensure that the mechanism can be updated if an attack is discovered and should be removable by the user, but the rules outlined in the document are fairly loose and don't require the OEM to notify the owner of the laptop that such a mechanism is in place."
This discussion has been archived. No new comments can be posted.

Lenovo Installed Software On Laptops That Persisted After Complete Wipes

Comments Filter:
  • by jkrise ( 535370 ) on Wednesday August 12, 2015 @11:02AM (#50301695) Journal

    When Windows auto-updates go horribly wrong, almost all users blame the h/w vendor, not Microsoft. So Lenovo uses this BIOS trick to protect their reputation. Why is this being depicted as malicious behaviour?

    • by Anonymous Coward

      You must be new here.

    • Re: (Score:3, Insightful)

      by Anonymous Coward

      Because geeks want to maintain complete control over that sort of thing, and when the vendor takes that away it feels like they are crossing a line.

      This emotional response shouldn't be hard to understand or predict. Lenovo should continue doing this, but should put public disclosures of this sort of thing in easy-to-find documentation so that geeks know about this going in, rather than discover it on the outside. That wouldn't hurt their sales at all but would palliate a lot of nerd rage.

      • That wouldn't hurt their sales at all

        In fact, it would help their sales. Geeks love transparency. And if I know it's there and I know that MS dictates that it must be able to be disabled, I now have a reason to call them so they can make a sales pitch, as I'm sure they won't document how to disable it without a phone call.

    • by Djoulihen ( 1805868 ) on Wednesday August 12, 2015 @11:17AM (#50301855)
      The problem is that this feature mostly targets users who are trying to get rid of lenovo software. On a laptop you would normally restore your system or reinstall windows using the recovery partition which is full of vendor-added software. If you went through the trouble of installing a clean version of windows (by finding an OEM install of windows you can use your key with) it probably means that you expect your installation to be clean of any lenovo software. But guess what, you still end up with Lenovo software installed behind your back. I'm not saying there is absolutely no good reason to have the Lenovo software installed, but they could at least prompt you with a message like "We detected that you are running a fresh installation of windows, would you like to install our software to improve the performances of your computer and fix known hardware problems ?". Then it's your choice to go along with their software or handle the possible windows update mess yourself like a responsible geek.
      • by Anonymous Coward

        I'm not saying there is absolutely no good reason to have the Lenovo software installed, but they could at least prompt you with a message like "We detected that you are running a fresh installation of windows, would you like to install our software to improve the performances of your computer and fix known hardware problems ?". Then it's your choice to go along with their software or handle the possible windows update mess yourself like a responsible geek.

        That is exactly what the software does, it doesn't install any bloatware, just a program that checks to see if said bloatware has been installed, and if it hasn't been installed it makes a nag popup to ask you to install it.

      • by Just Some Guy ( 3352 ) <kirk+slashdot@strauser.com> on Wednesday August 12, 2015 @02:51PM (#50303749) Homepage Journal

        but they could at least prompt you with a message like "We detected that you are running a fresh installation of windows, would you like to install our software to improve the performances of your computer and fix known hardware problems ?"

        Yeah, no. Because even then they're injecting unknown code into your otherwise pristine environment; that dialog ain't gonna display itself.

        In the situation where the user has explicitly gone out of their way to install a clean OS, it's a fairly safe bet that they're expecting to boot into a clean freaking OS, not a "mostly clean except what the hardware vendor dicked around with" system. I don't want the Western Digital BIOS injecting a SATA driver update, or my keyboard injecting a keyboard driver update, or my laptop injecting a laptop driver update. If I'm capable of laying down a clean image, I'm capable of installing all that stuff myself if I want it.

        • or my keyboard injecting a keyboard driver update, or my laptop injecting a laptop driver update. If I'm capable of laying down a clean image, I'm capable of installing all that stuff myself if I want it.

          As it is I get annoyed when Windows update tries to installed bloated Logitech drivers for my wireless Mouse / keyboard. They work fine as standard USB items, leave it that way!

          I think it was the upgrade from Win8.0 to 8.1 that automatically installed bloated drivers from Logitech, and the shitty Synaptics drivers for my touchpad.

    • Re: (Score:3, Funny)

      by Anonymous Coward

      When Windows auto-updates go horribly wrong, almost all users blame the h/w vendor, not Microsoft.

      What the fuck are you talking about? Everyone, and I mean EVERYONE blames Microsoft.

    • Re: (Score:1, Insightful)

      When Windows auto-updates go horribly wrong, almost all users blame the h/w vendor, not Microsoft. So Lenovo uses this BIOS trick to protect their reputation. Why is this being depicted as malicious behaviour?

      Do you work for Lenovo or are you just stoned?

      This has nothing to do with protecting their reputation. This is a "We are installing really nasty spyware on your computer that you don't want and if you try and do a clean install we're going to install it again anyway".
      http://www.ign.com/articles/20... [ign.com]

      I will never buy a Lenovo product, nor recommend one to any of my clients.

      • by donaldm ( 919619 )

        I have two HP laptops and except for changing the thermal paste on my gaming laptop I have never had any problems. I don't even get adds or annoying popups but then again I have never ran a Microsoft OS on them. My oldest laptop is over six years and still runs the latest version of Fedora (22) without any issues.

        One policy I have always set is to turn off auto updates. So while I do see that updates are available I only manually update (GUI or command line although personally I prefer the command line) whe

    • Two very good reasons: because they didn't tell their users, and because there is no way to disable it.
  • by gweihir ( 88907 ) on Wednesday August 12, 2015 @11:03AM (#50301703)

    What is the world coming to?" It seems, no matter how obviously bad an idea is, somebody has to try it.

    • You didn't think they were really going to let you own the thing you purchased from them, did you?

      • by gweihir ( 88907 )

        Well, _I_ am capable of ripping out any and all crap they put in there, but most people are not. But it takes way too much time to do so, so I will not buy anything from them again without careful research.

  • by kheldan ( 1460303 ) on Wednesday August 12, 2015 @11:03AM (#50301713) Journal
    Nevermind that in creating such a thing they've created a gigantic security hole in the hardware itself that an attacker could potentially use to make sure your computer is a permanent part of someones botnet!
    • Companies, and governments, who do this are too stupid/greedy/indifferent to care.

      They want it for their purposes, and they simply don't give a damn if it can be used by someone else.

      You can't have any mechanism which does this which isn't exploitable. But the people who decide to do this are only interested in their own needs.

      • Companies and governments are stupid/greedy/indifferent.

        fyp
        The purpose of a company is to move money from your pockets to its shareholders.
        The purpose of government is to create laws that facilitate the flow.

        Constitutions notwithstanding.

    • by hacker ( 14635 )

      Nevermind that in creating such a thing they've created a gigantic security hole in the hardware itself that an attacker could potentially use to make sure your computer is a permanent part of someones botnet!

      You think that wasn't the whole point to begin with? A remotely activated sleeper that sits on everyone's Windows machine at boot, and can run any executable dropped on the filesystem, silently and at every boot? The .gov is probably wringing their hands at the possibilities. Seriously. They're already doing it on phones, why not on everyone's personal computers as well?

  • Fuck Lenovo (Score:5, Interesting)

    by bazmail ( 764941 ) on Wednesday August 12, 2015 @11:03AM (#50301715)
    Never buying from that company again and will, in my capacity as family tech support guy, ensure that nobody in my family buys one. Wow. That company cannot die quick enough.
  • by jones_supa ( 887896 ) on Wednesday August 12, 2015 @11:05AM (#50301729)

    This is actually a mechanism called Windows Platform Binary Table (WPBT).

    More information can be found in the Microsoft WPBT whitepaper [microsoft.com]:

    "This paper describes the format of a Windows Platform Binary Table (WPBT). The WPBT is a fixed Advanced Configuration and Power Interface (ACPI) table that enables boot firmware to provide Windows with a platform binary that the operating system can execute. The binary handoff medium is physical memory, allowing the boot firmware to provide the platform binary without modifying the Windows image on disk. In the initial version, the WPBT simply contains a physical address pointer to a flat, Portable Executable (PE) image that has been copied to physical memory. The WPBT is extensible, allowing the layout of published platform binaries to be more complex in future versions and allowing the support of more than one binary type.

    It is expected that the binary pointed to by the WPBT is part of the boot firmware ROM image. The binary can be shadowed to physical memory as part of the initial bootstrap of the boot firmware, or it can be loaded into physical memory by extensible boot firmware code prior to executing any operating system code. A boot firmware component would create the WPBT based on the location of the platform binary. During operating system initialization, Windows will read the WPBT to obtain the physical memory location of the platform binary. In the first version, the binary is required to be a native, user-mode application that is executed by the Windows Session Manager during operating system initialization. Windows will write the flat image to disk, and the Session Manager will launch the process. Windows may reclaim the physical memory described in the WPBT.

    If Windows observes a WPBT during operating system initialization, it will attempt to use an ACPI control method to communicate binary execution status back to the platform."

    • by mythosaz ( 572040 ) on Wednesday August 12, 2015 @11:24AM (#50301915)

      In short then, the summary is wrong.

      Windows, not Lenovo, installs software on Lenovo laptops, by requesting the software from compatible hardware.

      • by MobyDisk ( 75490 ) on Wednesday August 12, 2015 @01:14PM (#50302817) Homepage

        Both are to blame because there are 2 distinct problems here:

        1. Microsoft trusts BIOS firmware enough to allow it to install arbitrary software on the machine.
        2. Lenovo BIOS miuses the feature to install crapware.

        We would not be complaining about #1 if Windows required user confirmation before doing this.
        We would not be complaining about #2 if Lenovo was installing a fix for a video driver that they knew caused lock-ups on their hardware.

        Technically though, the BIOS could probably do this even without Microsoft's help, although it would be much tougher to implement.

        • Um, honestly I have a hard time getting upset over #1. If you can't trust the BIOS - the software that by its very nature has unrestricted access to every aspect of your computer and is responsible for loading the OS itself, then you're already screwed. Full Stop.

          #2 on the other hand.... yeah, that's pretty much evidence that we can't trust the BIOS. See my previous point.

          As for
          >We would not be complaining about #2 if Lenovo was installing a fix for a video driver that they knew caused lock-ups on thei

          • by MobyDisk ( 75490 )

            Yeah, if you don't trust the BIOS then you are not in good shape.

            Yes, we would. We very much would. Such a "fix" would almost certainly end up locking you into one particular driver version, "helpfully" rolling back any newer driver you installed to fix additional issues/a

            That's a strawman attack. I specifically said "installing a fix for a video driver that they knew caused lock-ups." You changed my scenario to "overwriting the video driver blindly" then attacked that scenario.

    • by Rob Riggs ( 6418 )
      Interesting. Does the UEFI BIOS need to be signed or can anyone update the BIOS and install their own persistent root kit?
      • The binary itself (loaded from the WPBT) needs signed with and is inspected by Signtool.

        • by Rob Riggs ( 6418 )
          Cool tool to have at one's disposal during the prelude to a cyberwar. (The key players in any likely cyberwar all have the ability to sign anything they desire.)
  • China ... (Score:1, Offtopic)

    by gstoddart ( 321705 )

    Sorry, but this is what happens when you let a country under the sway of a totalitarian government build you computers.

    However, as almost every other government more or less demands the same thing ... this as the new normal.

    You can (and should) be outraged. But the fact that governments want back doors for everything is pretty clear.

    I see this as precisely no different from the US tapping the telecom systems of other countries. People claim it's their right, and then get all freaked out when someone else

    • by 0123456 ( 636235 ) on Wednesday August 12, 2015 @11:09AM (#50301785)

      Sorry, but this is what happens when you let a country under the sway of a totalitarian government build you computers.

      But isn't Lenovo based in China these days, not America?

    • holy god, talk about going off on a tangent. Tell me your thoughts on the NSA and FBI please

      • by Anonymous Coward on Wednesday August 12, 2015 @11:24AM (#50301919)

        Tell me your thoughts on the NSA and FBI please

        Do NOT buy an NSA or FBI laptop.

      • Most of the time I roll my eyes at tangents, but with how few people care about the NSA issue, I support this one.

      • by Mal-2 ( 675116 )

        holy god, talk about going off on a tangent. Tell me your thoughts on the NSA and FBI please

        They're trying to close the gap with CIA, but they are not yet full up to speed on having big guys (nobody cares who they are until they put on the mask) crash their operation with no survivors.

    • Sorry, but this is what happens when you let a country under the sway of a totalitarian government build you computers.

      I didn't know that Lenovo was built in the U.S.A.

      • by tepples ( 727027 )

        Even if not, the USA is under the sway of the allegedly totalitarian Kingdom of Saudi Arabia. If it weren't for USA's energy imports, its foreign policy makers might have been less likely to overlook rampant Saudi discriminatory treatment of women.

  • by __aaclcg7560 ( 824291 ) on Wednesday August 12, 2015 @11:06AM (#50301745)
    When I briefly worked inventory in 2008, Google management was thinking of abandoning Lenovo laptops as they kept finding backdoors for Chinese hackers in the BIOS. Not sure if they ever did. On the few contract assignments I've done for Google since then, everyone I worked with had a MacBook Pro laptop.
    • Re: (Score:1, Funny)

      by Anonymous Coward

      When I briefly worked inventory in 2008, Google management was thinking of abandoning Lenovo laptops as they kept finding backdoors for Chinese hackers in the BIOS. Not sure if they ever did. On the few contract assignments I've done for Google since then, everyone I worked with had a MacBook Pro laptop.

      I am beginning to suspect that there is a Chink in the security of these devices.

  • ... as long as it's constrained to only device drivers. That way we're not stuck, especially considering people are ditching optical drives.
    • by tepples ( 727027 )

      How would one get stuck? Connect USB flash drive containing the operating system installer to USB port, connect a second flash drive containing additional drivers if necessary to second USB port, and reinstall.

  • Details missing... (Score:4, Informative)

    by ad454 ( 325846 ) on Wednesday August 12, 2015 @11:14AM (#50301833) Journal

    When does the bios install the files, at boot time, or when the OS is running?

    If at boot, this should require bios drivers for read+write ntfs filesystem support in order to know where in the primary drive the bios needs to install the files, which means the bios can hold a much larger amount of storage then expected.

    If when the OS is running, this opens up the potential for many new scarier exploits and backdoors, even for a more secure OS with different file systems, such as Linux or *BSD, beyond just storage, such as memory and network access.

    Does this still work with FDE (Full Disk Encryption), such as bitlocker, truecrypt, bestcrypt, pgpdisk, etc.?

    • RTFA, numbnuts.

    • by tlhIngan ( 30335 )

      When does the bios install the files, at boot time, or when the OS is running?

      If at boot, this should require bios drivers for read+write ntfs filesystem support in order to know where in the primary drive the bios needs to install the files, which means the bios can hold a much larger amount of storage then expected.

      If when the OS is running, this opens up the potential for many new scarier exploits and backdoors, even for a more secure OS with different file systems, such as Linux or *BSD, beyond just sto

    • by wbr1 ( 2538558 )
      It is windows doing during windows boot. The BIOS puts a binary into RAM at a set address, Windows reads it and injects it into the boot sequence. This is normal windows behavior (however stupid or needed it is).

      Scarier to me is that instead of basic driver/ACPI junk Lenovo is apparently using it to download and install MORE executables onto the PC. This is rootkit behavior.

  • Licensing agreement (Score:4, Interesting)

    by LoyalOpposition ( 168041 ) on Wednesday August 12, 2015 @11:50AM (#50302145)

    "If Windows 7 or 8 is installed, the BIOS of the laptop checks 'C:\Windows\system32\autochk.exe' to see if it's a Microsoft file or a Lenovo-signed one, then overwrites the file with its own.

    Since this doesn't require my agreement, then does that mean I'm unrestricted as to what I can do with it? Namely, reverse compiling, distributing, etc?

    ~Loyal

    • by msauve ( 701917 ) on Wednesday August 12, 2015 @12:23PM (#50302451)
      It should mean that Lenovo gets prosecuted for violation of the CFAA [wikipedia.org]:

      knowingly causes the transmission of a program, information, code, or command, and as a result of such conduct, intentionally causes damage without authorization, to a protected computer;

      Deliberately replacing a file I've installed with one of their own sure seems like intentional damage to me.

  • by Macdude ( 23507 ) on Wednesday August 12, 2015 @11:51AM (#50302159)

    The root problem is the people who design a feature to allow code to persist through a wipe and don't see that as a huge security hole!

    Security is simple is you care about it, things like a BIOS update shouldn't be possible without a physical action by the user. For example a jumper on the motherboard has to be installed during the boot (which can easily be extended to a button on the case) which would look for a specific file in a specific location and update the bios after confirming on screen with the user. The jumper would then have to be removed prior to the system booting normally.

    Any feature that a good application can use to update your system, a bad application can use as well. To use a car analogy, a security "feature" that lets you unlock your car if you've lost your keys (which sounds useful on its face) - also allows a bad guy to unlock your car.

  • Lenovo Installed Software Making Laptops Vulnerable to Hacking: Experts videoturkiye.Net http://www.videoturkiye.net/le... [videoturkiye.net]
  • by mandark1967 ( 630856 ) on Wednesday August 12, 2015 @12:16PM (#50302377) Homepage Journal

    They could be loading Adobe Flash

  • Back in 2011, I had a virus which persisted on my Blackberry after a full factory reset and clear. Nasty little bugger, also infected my Kindle, my wireless smart monitor and xbox, and a SecureRom bios secured machine. Sliced through it all like butter, and reinstalled itself even after full wipes.

    I now carry only a laptop. No cell phones. No nothing. That kind of trouble's just too much for me.

  • So, in this case, adding a security feature means opening the machine up to third party hacking.
  • The Malware's baked-in-goodness from the factory!
  • "Lenovo Installed Malware On Laptops That Persisted After Complete Wipes"

    FTFY

  • This will be used by at least one manufacturer to implement gradual device failure shortly after warranty.

Think of it! With VLSI we can pack 100 ENIACs in 1 sq. cm.!

Working...