Lenovo Busted For Stealthily Installing Crapware Via BIOS On Fresh Windows Installs
from the not-learning-any-lessons dept
It looks like Lenovo may not have learned much from February’s Superfish shenanigans. If you recall, Lenovo was busted for stealthily installing adware on consumer laptops. Worse, the Superfish adware in question opened up all Lenovo customers to man-in-the-middle attacks by faking the encryption certificate for every HTTPS-protected site customers visited. When pressed, Lenovo idiotically denied there was any security threat introduced by faking encryption certs solely for the sake of pushing ads.
Lenovo’s now under fire this week for reinstalling the company’s bloatware on Lenovo laptops, even if customers have completed a fresh install of Windows. First noticed by an Ars Technica forum regular and confirmed by readers at Hacker News, as well as users over at Reddit, Lenovo appears to be hiding its crapware install in the laptop BIOS, so it gets installed even after fresh Windows installs:
“I had this happen to me a few weeks ago, on a new Lenovo laptop, doing a clean install with a new SSD, Win 8 DVD + wifi turned off. I couldn’t understand how a Lenovo service was installed and running! Delete the file and it reappears on reboot. I’ve never seen anything like this before. Something to think about before buying Lenovo. I searched and found almost nothing about this, so it may be something they started doing in the last few months.
Apparently, Lenovo’s using a Windows function called Microsoft Windows Platform Binary Table (WPBT), originally designed to help simplify the installation of proprietary drivers and anti-theft software (obviously since any smart thief would do a clean install relatively quickly after theft). Except in this case, Lenovo’s using it as a method to force the laptop to phone home to Lenovo servers so adware can be installed.
Basically, before booting Windows, the Lenovo Service Engine (LSE) built into the laptop’s firmware replaces Microsoft’s copy of autochk.exe with Lenovo’s version. Lenovo’s version then ensures that LenovoUpdate.exe and LenovoCheck.exe are present in Windows’ system32 directory, with full administrative rights. Lo and behold, you then get Lenovo crapware — and a machine that phones home to Lenovo servers — even if you think you’ve avoided such practices via what you incorrectly assumed was a truly clean OS install.
You’ll be shocked to learn that this practice isn’t particularly secure. Back in April, Security researcher Roel Schouwenberg found and reported that a buffer-overflow vulnerability in the LSE (not to mention insecure network transmission) could easily be exploited by hackers. Once Lenovo learned of the security risk, and likely received a wrist slap from Redmond for running afoul of Microsoft’s security standards regarding WBPT, Lenovo very quietly backed away from the practice last June, then released tools for laptops and desktops to aid in the removal of the LSE.
Clearly, since users are only just in August realizing this problem exists, Lenovo did a wonderful job communicating the issue to its customers. Lenovo now says that any computer sold since June should not include this stealth crapware install mechanism, but somehow it still thought it was a great idea to employ this technology from between October 2014 and April of this year. While Microsoft’s WPBT may be well-intentioned, it’s also hard to see how it couldn’t foresee the potential pitfalls of letting third parties use the BIOS to inject additional software into a fresh install (regardless of whatever “guidelines” they’ve belatedly attached).
Meanwhile, on the heels of the Superfish scandal, it’s becoming pretty clear that customers who want actual control of the hardware they own might just want to steer clear of Lenovo until the company wises up.