Lenovo Busted For Stealthily Installing Crapware Via BIOS On Fresh Windows Installs

from the not-learning-any-lessons dept

It looks like Lenovo may not have learned much from February’s Superfish shenanigans. If you recall, Lenovo was busted for stealthily installing adware on consumer laptops. Worse, the Superfish adware in question opened up all Lenovo customers to man-in-the-middle attacks by faking the encryption certificate for every HTTPS-protected site customers visited. When pressed, Lenovo idiotically denied there was any security threat introduced by faking encryption certs solely for the sake of pushing ads.

Lenovo’s now under fire this week for reinstalling the company’s bloatware on Lenovo laptops, even if customers have completed a fresh install of Windows. First noticed by an Ars Technica forum regular and confirmed by readers at Hacker News, as well as users over at Reddit, Lenovo appears to be hiding its crapware install in the laptop BIOS, so it gets installed even after fresh Windows installs:

“I had this happen to me a few weeks ago, on a new Lenovo laptop, doing a clean install with a new SSD, Win 8 DVD + wifi turned off. I couldn’t understand how a Lenovo service was installed and running! Delete the file and it reappears on reboot. I’ve never seen anything like this before. Something to think about before buying Lenovo. I searched and found almost nothing about this, so it may be something they started doing in the last few months.

Apparently, Lenovo’s using a Windows function called Microsoft Windows Platform Binary Table (WPBT), originally designed to help simplify the installation of proprietary drivers and anti-theft software (obviously since any smart thief would do a clean install relatively quickly after theft). Except in this case, Lenovo’s using it as a method to force the laptop to phone home to Lenovo servers so adware can be installed.

Basically, before booting Windows, the Lenovo Service Engine (LSE) built into the laptop’s firmware replaces Microsoft’s copy of autochk.exe with Lenovo’s version. Lenovo’s version then ensures that LenovoUpdate.exe and LenovoCheck.exe are present in Windows’ system32 directory, with full administrative rights. Lo and behold, you then get Lenovo crapware — and a machine that phones home to Lenovo servers — even if you think you’ve avoided such practices via what you incorrectly assumed was a truly clean OS install.

You’ll be shocked to learn that this practice isn’t particularly secure. Back in April, Security researcher Roel Schouwenberg found and reported that a buffer-overflow vulnerability in the LSE (not to mention insecure network transmission) could easily be exploited by hackers. Once Lenovo learned of the security risk, and likely received a wrist slap from Redmond for running afoul of Microsoft’s security standards regarding WBPT, Lenovo very quietly backed away from the practice last June, then released tools for laptops and desktops to aid in the removal of the LSE.

Clearly, since users are only just in August realizing this problem exists, Lenovo did a wonderful job communicating the issue to its customers. Lenovo now says that any computer sold since June should not include this stealth crapware install mechanism, but somehow it still thought it was a great idea to employ this technology from between October 2014 and April of this year. While Microsoft’s WPBT may be well-intentioned, it’s also hard to see how it couldn’t foresee the potential pitfalls of letting third parties use the BIOS to inject additional software into a fresh install (regardless of whatever “guidelines” they’ve belatedly attached).

Meanwhile, on the heels of the Superfish scandal, it’s becoming pretty clear that customers who want actual control of the hardware they own might just want to steer clear of Lenovo until the company wises up.

Filed Under: , , , , , , ,
Companies: lenovo

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Lenovo Busted For Stealthily Installing Crapware Via BIOS On Fresh Windows Installs”

Subscribe: RSS Leave a comment
That One Guy (profile) says:


How can anyone be stupid enough to buy anything from them at this point? I wouldn’t trust them if they were selling a calculator, and I certainly wouldn’t trust them with a computer.

Forget ‘stop buying until they wise up’, after these last two stunts, people should stop buying from them permanently, as it’s blatantly obvious they’re not to be trusted.

That One Guy (profile) says:

Re: Re: How?

And? The highest quality hardware in the world doesn’t mean squat if you can’t trust it, and quite clearly if it’s coming from them you can’t. With actions like this, what little reputation they have should vanish overnight, as unless it’s a reputation for being sleazy and treating their customers like crap, they clearly don’t deserve it.

PaulT (profile) says:

Re: Re:

“If it can be abused it will be abused it seems.”

The law of unintended consequences. It may well be perfect useful for its intended purpose. But, supply a tool and some people will work out how to misuse it.

The only mystery is how it’s is a surprise to anybody that it was misused – or why Lenovo apparently believed that nobody would notice.

Ben (profile) says:

Re: Re: Re:

But, supply a tool and some people will work out how to misuse it

I think “use it differently” might be more appropriate — it is the epitome of “hacking”. Granted this case is an example of the “black” form of hacking; to paraphrase Hanover Fist: “They should be torn into itsy little pieces and buried alive.”

Lenovo has certainly earned a spot on my “do not buy” list.

RalphieW (profile) says:

Re: Re:

Nice try, FUDpacker. This is Lenovo– noonoe else has been caught red-handed TWICE doing this..

but sure, anyone else could do this.

IF you could cast your aspersions elsewhere while we discuss the greedy, arrogant Chinese company who’s done this (again) TWICE in the space of 18 months. Eyeaaah, that’d be greeeeeat.

RalphieW's little buddy says:

Re: Re: Re:

IF you could cast your aspersions elsewhere while we discuss the greedy, arrogant Chinese company who’s done this (again) TWICE in the space of 18 months. Eyeaaah, that’d be greeeeeat.

Yeah, please quit reminding people of all the times the government has been caught hacking into people’s computers. Let’s keep it focused on Lenovo. Eyeaaah, that’d be greeeeeat.

Pissedoff Vet says:

Re: Re: Re: Re:

I think you are failing to engage you’re brain before running you’re mouth.
It’s just Lenova this blog is about. There are others and they all should be nuked!
I foolishly bought a nice little “USELESS’ laptop. It has Chrome OS on it and it is UEFI locked. It is basically usless unless connected to the Internet. I dusted it off a couple months ago but I didn’t turn it on. I have tried to talk to Google about unlocking UEFI so I can replace that useless Chrome OS piece of shit. NO luck. Any one know how to talk them into how to unlock it? NO! I thought not.

Pissedoff Vet says:

Re: Re: a question

Nope, many Linux packages allow this shit too. To answer you’re question my old Panasonic Tough book has phone home seurity in the bios. I have it turned off but know for a fact if I installed MicroSnot Windows it will still run. I have yet to find any indiation that it runs on my version of Linux but I do see things making attempts to do thing I have blocked so my only gripe is the huge log files and I’m sure some slow down. Still looking. My log file is now over five million nine hundred lines and growing several lines per second.

Anonymous Coward says:

Re: Re: a question

it will probably never check or run anything in the WPBT.

WPBT tables, and other windows specific software constructs no longer apply when Linux is booted. To pull the same trick under Linux requires Linux specific software, and would have to deal with the variability of Linux, like different boot loaders. Windows provides a much more consistent execution environment than Linux, which relies more on source code portability.

Anonymous Coward says:

How about crossing over to Linux? I tried to work with Win 8/Win10 (hooray driver enforcement), but things like this confirm my suspicion of these shenanigans with Windows these companies pull. My question is who else is using BIOS similar to this? At least Lenovo’s trick is shown the door when it attempts to hijack a fresh Linux install.

That One Guy (profile) says:

Re: Don't give them ideas

What makes you think they wouldn’t support this method of slipping unwanted code into a system, whether the owner of the system knows it’s there or not?

‘Delete everything and start with a fresh install in an attempt to try and ensure that the only programs on your machine are ones you chose yourself? Hah, no, soon as it boots it calls home and installs the backdoor code again.’

tqk (profile) says:

Re: It's not just Lenovo

After watching this slow motion trainwreck (Win 10) unfold, if you’re in IT and proposing to update machines to Win 10, I’d have to wonder who you’re actually working for. It’s been quite a while since MS pulled such boneheaded crap and was still able to say and get away with, “What? What did we do wrong? This is supporting users. These are features they’ll appreciate!”

I suspect the Russian FSB, Israeli Mossad, and the NSA have all taken minority ownership positions in MS.

Phoenix84 (profile) says:

Thinkpad killed

Lenovo has succeeded in killing the great Thinkpad line.
I was afraid it was going to happen.
I have a T500 (T61p before that), back when Lenovo just bought them from IBM.
The thing is a workhorse, and still works great to this day (the T61p sadly succumbed to the bad nVidia chip of that era, T500 replaced it).
The keyboard change was the first nail. This is the final.
So ended an era.
It will most likely be my last Thinkpad. Sadly there isn’t much else of quality anymore either.

Anonymous Coward says:

Re: Stallman was right

As I recall, it took a while for others to convince Stallman a free BIOS was important, as he had considered it basically hardware until that point (these were probably the pre-TPM/restricted-boot days). He doesn’t seem fully conviced of the importance of free hardware designs yet, suggesting people wait for fabrication technology to improve before rejecting non-free hardware (whereas he declared non-free software unethical long before free-software-only systems were practical). Others such as the lowRISC project are working on it though.

It may be worth noting, by the way, that it’s not so difficult to grab an old system (one you don’t mind bricking) and port Coreboot to it.

stimoceiver (profile) says:

customers who want actual control of the hardware they own

This is a great article because it gives a nice clear example of not only what corporate-level actors think of our privacy and security, but also just how opportunistically they will act when left to their own unregulated and profit-driven whims.

It leads me to ponder: between now and the future of armed AI battlebots kicking down doors instead of cops, what kind of future can we predict for implantable computing?

Lenovo’s actions are a nice foreshadowing.

So are smart tv’s that share your every spoken word with third parties.

So are advanced persistent threats in the hard drive mcu firmware(s) and unpatchable firmware vulnerabilities that affect nearly every USB memory stick in existence.

So is the hidden second operating system in every phone, the baseband OS.

So are the terms in the Windows 10 license agreement that obligate the user to agree to so many kinds of spying, automatic updating, and remote top-down command-and-control from big brother Microsoft.

For that matter, so are the ubiquitous, corporate-owned, proprietary and for-profit nature of the cell phone and internet network architectures. Why aren’t corporations racing to embrace the Internet Of Things and the future beyond by designing an open, community-owned, peer routed and decentralized network architecture where all we will need to do to join is put up an antenna? Something that is free to join, neighborhood-centric, and useful for civic and community organising?

Its clear that if the hardware manufacturers are left to their own devices (pun intended), implanatable computing with a proprietary for-profit software-as-a-service unmoddable hardware locked proprietary baseband operating system, and advanced persistent spyware and adware in every BIOS and firmware will be the norm, and not some glaring exception.

Anonymous Coward says:

I don’t think it’d be much of a stretch to use something like this to prevent installation of a non-MS OS. Give it a few years.

And considering how small memory chips are in things like flash drives, perhaps in the future, the OS would be preinstalled directly on the motherboard and cannot be overwritten. That’d spell the end of Linux (competition to M$ and a possible hindrance to Big Brother) in several years, after the gurus’ old hardware becomes too old or breaks.

Just something I’ve been thinking about lately.

Pissedof Vet says:

Re: Re:

Think UEFI. You cannot replace the OS. Before I was UEFI aware I bought a great little lap top. Came with Google, Chrome OS. It is UEFI locked and I’m stuck with it. So it gathers dust. I would love to unlock UEFI so I an install a real OS on it. Chrome OS sucks big time. The device has a hard drive that is adequate to work but due to Chrome OS the whole thing is useless unless it is connected to the Internet.

Joel Coehoorn says:


Lenovo is a Chinese company. Given all of the recent government and corporate security breaches tied to the Chinese government over the last few years, how long until they get Lenovo to use a feature like this that acts as their espionage arm? They did it once; they can do it again. Even if (when) they caught again, by then it might not matter.

Anonymous Coward says:

lenovo caught useing the NSA's toys.

These capabilities exist on nearly all modern systems- they just aren’t usually used in mass, or in ways that are otherwise easily detected.

You’ve missed the story here Karl. There’s an iceburg below the tip you just pointed out, one that TDs articals seam to obliviously run into again and again… All modern hardware is backdoored like this. Intel ME, Secureboot, TPM, UEFI…etc…

Also- this type of attack absolutely works against linux, the injected software just has to be tailored to the target software environment; harder then windows, sure, but far from impossible.

Ironically- gluglug’s (old/reflashed) lenovo thinkpads are some of the only machines you can buy today that are imune to these types of subverstion/attack. So boycott new lenovo’s, by all means, but if you want to support a solution to this catastrophic mess- buy a gluglug and support the libreboot team.

John Fenderson (profile) says:

Re: lenovo caught useing the NSA's toys.

“this type of attack absolutely works against linux”

You’ve mixed together a bunch of technically very different attack vectors, so I’m not sure which one(s) you’re talking about with this assertion.

Assuming you’re talking about the one the article is discussing, then no, this attack does not work against Linux. It requires the active support and cooperation of the operating system, and Linux does not provide the necessary support.

John Fenderson (profile) says:

Re: Re: Re: lenovo caught useing the NSA's toys.

The way this worked is that Windows actively looks for the code embedded in the BIOS, loads it, and executes it. This is a “feature” of Windows.

Simply having the code in the BIOS (even if that code can execute under any OS) doesn’t do anything at all. Something on the OS side of things must load and execute that code. Linux does not look for, load, or execute any such code and so is immune from this attack vector.

Anonymous Coward says:

Re: lenovo caught useing the NSA's toys.

Linux and the similar BSDs, vary in all sorts of details, mainly under the users control, which includes variations in boot loaders, and init systems. Also, there are various file systems in use, all of which makes this sort of attack more difficult, and liable to failure on some installations of nominally the same operating system.

Anonymous Coward says:

Re: Re: So... how many folks here are not firm believers of following "the Bleeding Edge"?

Here is my hand held up high. Band aids on all fingers.
My most modern device is the old very first Panasonic Toughbook. It has a phone home security system in the BIOS. I have turned it off but all I can find about it says it works for them anyway. So I have every thing here goes through three routers with iptables on them as well as a Masqurade on each one. I am now the paranoid kid. I am not prejudiced at all. I trust no one.

Anonymous Coward says:

Once a corporate develops this sort of mentality, it is best to stay away from them. The one thing they will understand is loss of profit. It’s a long hard hoe back to trusting such a maker. They’ve shown their colors and I refuse to show them the color of my money because of it. They can promise the world but the damage is already done.

Anonymous Coward says:

cant understand why the Lenovo bosses would want to do this sort of thing. i have an old Lenovo laptop running XP and it has to be the best laptop i’ve had. why they would want to piss customers off by doing or allowing to be done this crap doesn’t make sense. i thought it had more respect for customers, unlike Sony, Microsoft and Apple, for example, who want to know the length of my foreskin and how many times i screwed the missus this week! looks like they’ve joined the class of ‘Dont Trust The Bastards’ now!

383bigblock (profile) says:

Already flushed the toilet

I’ve run into too much of this with Lenovo. We pulled the plug on all Lenovo’s last year. We liked their M93P boxes for out on the manufacturing floor because of small footprint and wifi capable. Unfortunately, they have a bad habit of generating IPv6 broadcast storms basically shutting down the network. We traced the storms to several machines that didn’t even have IPv6 enabled.

Good Bye…so long. We only have about 350 users but that’s 350 less Lenovo’s. Someone needs to pull their head out of their asses otherwise they will lose all of their business customers.

Groaker (profile) says:

Re: Bad Press

I would be happy if they voted with their feet and wallets, but that is disticntly not within the human paradigm. Look at all the crap that companies have pulled that the user population just ignores.

Sony is a great exemplar. Rootkits in audio material that take over a computer if you list to a legally purchased CD on your PC. Taking out capabilities that were touted as a reason for purchase (removal of Linux from a game console.)

Companies that produce absolute garbage (MPAA and the RIAA) abuse the user and the law. And users are so hungry for crap they don’t need, that they put up with it. Perhaps they all need to go to submissive school, and learn that it is the bottom who really holds the power.

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...