SafeUM
Home Blog Services Download Help About Recharge

Axarhöfði 14, 110 Reykjavik, Iceland

Iceland - 2015
SafeUM
Blog
Services
Download
Help
About
Recharge
Menu
Archive
TOP Security!
13 Aug 2015

Lenovo used a hidden Windows feature to ensure its software could not be deleted

A recently uncovered feature – which had been swept under the rug – allowed new Lenovo laptops to use new Windows features to install the company’s software and tools even if the computer was wiped.

The oddity was first noted by Ars Technica forum user ‘ge814‘ and corroborated by Hacker News user ‘chuckup.’

The users discovered the issue in May when using a new Lenovo laptop that automatically and covertly overwrote a system file on every boot, which downloaded a Lenovo updater and installed software automatically, even if Windows was reinstalled from a DVD. The only problem is that nobody actually asked for this software, and it persisted between clean installs of Windows. Lenovo was essentially exploiting a rootkit on its own laptops to ensure its software persists if wiped. The mechanism triggering this is called the Lenovo Service Engine, which downloads a program called OneKey Optimizer used for “enhancing PC performance by updating firmware, drivers and pre-installed apps as well as “scanning junk files and find factors that influence system performance.”

It also sends “system data to a Lenovo server to help us understand how customers use our products” but the company claims it’s not “personally identifiable information.” The problem is, users have no idea this is going on and it was very hard to get rid of. If Windows 7 or 8 is installed, the BIOS of the laptop checks ‘C:\Windows\system32\autochk.exe’ to see if it’s a Microsoft file or a Lenovo-signed one, then overwrites the file with its own.

Then, when the modified autochk file is executed on boot, another two files LenovoUpdate.exe and LenovoCheck.exe are created, which set up a service and download files when connected to the internet. Lenovo already quietly fixed part of the bug but didn’t exactly make it loud and clear.

In a July 31 security bulletin it vaguely refers to a vulnerability found in the Lenovo Service Engine that found a way attackers could exploit the mechanism by using a malicious server to install software. The company issued a patch to remove the functionality altogether between April – May of 2015, though it requires manual execution to disable the functionality. Users do not appear to receive it automatically.

Allowed by Microsoft

Here’s the kicker: the mechanism Lenovo was using is actually a Microsoft sanctioned technique, called the “Windows Platform Binary Table” first introduced in November 2011 and updated for the first time in July of this year. The document had only two mentions online before today, one from an apparent Lenovo software engineer asking for help tinkering with laptop ACPI tables.

The feature allows computer manufacturers to push software for installation from the BIOS to the system, meaning it’ll persist between installations of Windows regardless of it’s a clean installation or not. The document was modified upon discovery of the Lenovo exploit to say that it exists to allow “critical software” like “anti-theft software” to persist across reinstallation of operating systems, but obviously computer manufacturers like Lenovo have a different idea of what that actually means (see also: the time Lenovo installed software that hijacked secure internet traffic).

Manufacturers are obligated to ensure that the mechanism can be updated if an attack is discovered and should be removable by the user, but the rules outlined in the document are fairly loose and don’t require the OEM to notify the owner of the laptop that such a mechanism is in place. Both users reported being confused about how Lenovo software was installed on their computers after performing an installation from a DVD.

A wide range of Lenovo laptops are affected by the issue:  Flex 2 Pro-15/Edge 15 (Broadwell/Haswell models), Flex 3-1470/1570/1120, G40-80/G50-80/G50-80 Touch/V3000, S21e, S41-70/U40-70, S435/M40-35, Yoga 3 14, Yoga 3 11, Y40-80, Z41-70/Z51-70 and Z70-80 / G70-80.

A scary future

The revelation is one that makes me slightly nervous: a truly clean, untouched install of Windows is now very difficult to achieve and computer manufacturers are quietly installing software without user knowledge. Other manufacturers could have been using the technique without user knowledge, but it’s unclear at this time.

At least there’s good news: if you own one of these laptops you can disable the feature right now by downloading the utility at this link. The bad news: it wasn’t already done for you. When we asked Lenovo for comment, they directed us back to the bulletin that describes the patch. Microsoft is yet to respond with a comment. Earlier, security firm IOActive reported that it had discovered major vulnerabilities in Lenovo's update system that could allow hackers to bypass validation checks, replace legitimate Lenovo programs with malicious software, and run commands from afar.

Tags:
Lenovo information leaks Windows
Source:
The Next Web
2447
Other NEWS
3 Jul 2020 safeum news imgage An encrypted messaging service has been infiltrated by police
4 May 2020 safeum news imgage Two-Factor Authentication ​What Is It and Why You Should Use It
12 Dec 2019 safeum news imgage Encryption is under threat - this is how it affects you
4 Nov 2019 safeum news imgage Should Big Decisions Be Based on Data or Your Intuition?
7 Jun 2018 safeum news imgage VPNFilter malware infecting 500,000 devices is worse than we thought
4 Jun 2018 safeum news imgage Hackers target Booking.com in criminal bid to steal hundreds of thousands from customers
1 Jun 2018 safeum news imgage Operator of World's Top Internet Hub Sues German Spy Agency
30 May 2018 safeum news imgage US says North Korea behind malware attacks
29 May 2018 safeum news imgage Facebook and Google targeted as first GDPR complaints filed
25 May 2018 safeum news imgage A new reason to not buy these cheap Android devices
24 May 2018 safeum news imgage Flaws in smart pet devices, apps could come back to bite owners
23 May 2018 safeum news imgage Google sued for 'clandestine tracking' of 4.4m UK iPhone users' browsing data
21 May 2018 safeum news imgage LocationSmart reportedly leaked phone location data onto the web
18 May 2018 safeum news imgage The SEC created its own scammy ICO to teach investors a lesson
17 May 2018 safeum news imgage Thieves suck millions out of Mexican banks in transfer heist
All news
SafeUM
Confidential Terms of Use Our technologies Company
Follow us
Download
SafeUM © Safe Universal Messenger

Axarhöfði 14,
110 Reykjavik, Iceland

Iceland - 2015