Monday, 31 August 2015

Oh No, Lenovo

Oh No, Lenovo

The world’s top computer builder has been caught leaving its devices potentially vulnerable twice in the space of a year. Will it ever learn?

It’s been little more than six months since Lenovo, the world’s largest shipper of PC technology – with nearly 20% of the market in 2014 – pledged to end the installation of third-party software on its machines. The announcement (which can be seen at tinyurl.com/ktzcprj) came in the wake of a furore surrounding a piece of software called Superfish, which had the capability to intercept and look at encrypted traffic in order to display adverts.


It was, at best, a dodgy piece of bloatware that watched what you were browsing for and generated probably unwanted ads based on that information. At worst, it could be characterised as malware that undertook a man-in-themiddle intercept of traffic by issuing itself dodgy SSL certificates, which could then be exploited to compromise other Lenovo laptops with the same software installed.

Either way, it wasn’t a good look, and became just about the biggest cause celebre of its type since Sony thought it would be a good idea to install a rootkit on any PC that played host to one of its CDs.

While Lenovo initially tried to frame Superfish as a helpful visual search tool, the strength of disdain amongst its users – not helped by Forbes’ discovery that Lenovo was paid as little as $200,000 in order to install the software and compromise its customers’ security – soon lead to it taking steps to remove Superfish from machines, clear up its mess, and begin making the aforementioned promises. It was, to say the least, a PR disaster; yet Lenovo keeps growing in the market, and here we are again in a situation where it, while not breaking its promises as such, has managed to annoy its user base.

LSE Is More


Recently, news broke of problems surrounding the Lenovo Service Engine (LSE), a piece of software that takes advantage of a feature in Windows 8 onwards that allows OEM installers to embed an executable in the firmware of a machine. Because this executable will then run at boot, it can potentially be used to ensure that a firm’s chosen suite of software cannot be removed from a machine, even by a clean install of Windows. While not all makers are exploiting this feature, Lenovo was; on desktop systems it was apparently used to send basic system information to its servers when a machine first connected to the internet, but on laptops it was doing much more.

Within its portable machines, LSE was employed to check whether Lenovo’s software update facility was installed and, if not, reinstall it. This tool (known as OneKey Optimizer) could then, in turn, download and install drivers and other software Lenovo wished it to. To anyone with a modicum of knowledge about such things, then, it will come as no surprise that a security researcher – specifically a chap by the name of Roel Schouwenberg – eventually managed to exploit the software to gain control of a system.

By the start of August, Lenovo and Microsoft had moved to plug the security flaw; the former by issuing advice, tools and new BIOS firmware alongside a list of affected machines (see below) and the latter by changing its protocols for how the Windows feature should be used (you can read that at: tinyurl.com/oo2nfdy). Interestingly, though, Lenovo’s advisories made it clear that the issue also affected these specific models even if they were using Windows 7, despite that OS not having the same in-built feature to allow it. Indeed, it was an anomoly that had been noted as early as June on the forums of Ars Technica (tinyurl.com/neb26k5).

In this case, LSE apparently re-wrote a system file called autochk.exe, in order to allow the system to “fetch files over unencrypted HTTP”. Lenovo, rather shamefully, straight-batted Ars’ attempts to clarify exactly how it was managing to achieve this, instead referring it to its statement on the matter (tinyurl.com/o9mhlf5), which reitterated it’s commitment to removing LSE altogether.

Curing The Bloat


When, in the wake of the Superfish affair, Lenovo assured its customers that “the events of last week reinforce the principle that customer experience, security and privacy must be our top priorities”, this was probably not what owners of its hardware were expecting. While use of LSE has now been stopped, and all machines manufactured after June should be clear of it, it’s more damaging press for the Chinese company. How should we view it, though? With paranoia, or a shrug and BIOS update?

In the wake of that Superfish announcement, it stands to reason that changing more than two decades of industry culture (whereby the shipment of software with PCs has became standard) can’t be easy. PC builders are used to striking deals to ship certain packages with their kit, or pushing their own in the hope of reaping the benefits. Indeed, one can see how it’s a handy chunk of revenue now, at a time when margins are getting tighter.

The benefits of LSE to the customer are debatable, but its employment (and, indeed, the Windows feature that facilitates it) is understandable as a product of that ingrained culture. It’s the same culture, after all, that has lead to it becoming virtually impossible to get a vanilla install of Android, and an ethos that Apple has basically built its OS’ iterations upon. Everyone has been playing the same game.

None of this is necessarily bad, or a damning indictment of Lenovo. LSE could be seen as clumsy misstep, rather than anything as insidious as Superfish suggested (though its employment within Windows 7 systems doesn’t look great, we’ll grant you). Whether its poor decision making here even registers beyond technology pages is questionable, but it’s clear that Lenovo has serious lessons to learn – as do many others.

Playing fast and loose with security is not acceptable, no matter the quality and price of your product. Not least because a catastrophic fall from grace can be brutally quick – and is never much further away than just around the corner.


Lenovo Machines Affected


If you have any of these Lenovo models, then you need to be aware of the LSE problem. While it appears a more serious issue for laptop owners than for those with more conventional PCs, there are now ways to remove it from either type of system:

Notebook
Flex 2 Pro 15 (Broadwell/Haswell)
Flex 3 1120/1470/1570
G40-80/G50-80/G50-80 Touch
S41-70/U41-70
S435/M40-35
V3000
Y40-80
Yoga 3 11/14
Z41-70/Z51-70
Z70-80/G70-80

PC
A540/A740
B4030/B5030/B5035/B750
H3000/H3050/H5000/H5050/H5055
Horizon 2 27
Horizon 2e(Yoga Home 500)
Horizon 2S
C260/C2005/C2030
C4005/C4030/C5030
X310(A78)
X315(B85)

Removing LSE


Lenovo has, so far, released two security advisories regarding LSE, one for its laptops (tinyurl.com/p8ocfwt) and one for desktops (tinyurl.com/p3mbpha). As we noted in the main copy, the installation of OneKey Optimizer on laptops is the factor that introduces real security issues, but both notices outline methods to remove LSE completely.

Laptop (Windows 8, 8.1 and 10 in UEFI mode)

1. Run the Lenovo LSE disabler tool (download from tinyurl.com/ojrd4su) as an administrator, this will cause a command line window to pop for about 30 seconds while the disabler tool stops the LSE service, deletes all files installed by the LSE module (C:\windows\system32\wpbbin.exe; C:\windows\system32\LenovoUpdate.exe; C:\windows\system32\LenovoCheck.exe), repairs the autocheck files in Windows and disables the UEFI variable that enables LSE.

2. You can then Restart your PC

Desktop (For Windows 8 and 8.1)

In order to disable LSE on desktop systems, please complete the following two steps:

1. Disable LSE in the system BIOS. Ppress F1 while the system is booting to get to the BIOS. Navigate to the Security tab and set the Lenovo Service Engine option to “disabled”. If you do not see these options in the BIOS LSE is not enabled in your system and running the disable utility is not needed. Press F10 to Save and Exit.

2. Get the RemoveLSEDT utility from tinyurl.com/p9cybrs. Boot to Windows. Right click on the “RemoveLSEDT.bat” file and select “Run as Administrator” or remove the following files on your system: C:\windows\system32\LSEDT.exe and C:\windows\system32\LSEPreDownloader.exe

Note: If you are running Windows 7, or anything newer in a legacy mode, you need a full BIOS update – details can be found at tinyurl.com/p8ocfwt.