Got Lenovo? You DO NOT CONTROL your network!

Let's start from the beginning here, which was the weeks before Superfish announcement.  Let me stress before.  So the first steps in the song and dance routine was reclassifying a number of lines of "business" class computers to consumer class machines, only on their website and obviously hoping nobody would notice.  Of course, they claimed that it was never installed on any business class machines even tho it was verified on their business lines. 

Then we have the actual announcement, where Lenovo said "We will no longer distribute the software via our remote BIOS access."  Notice they never claimed to stop distributing Superfish, just that they would stop distributing it via a single method of getting software onto a system.  It was later verified to still be in their wireless driver stack, and also here, it is unknown where else it may be.

Next, 'Rootkit-Like' meathods to sneak software onto clean windows installs.  This one installs software on your system for you, believe it or not all computer manufacturers have this capability (otherwise you couldn't have something like LoJack easily available).  Lenovo's just happens to include a rootkit.  They claim this one is to keep users secure and up to date.  Let's keep in mind the definition of malware: software programs designed to damage or do other unwanted actions on a computer system.  No sane person can argue that having a system do things unknown to the end user is a wanted action, no matter how well intentioned.

We're not done yet!  Not content to just use bad software in the form of ShareIT, they also used a terrible password with it!  So not only are they using software known to be full of security holes, they also used a terrible password along with it.  Free WiFi hot spots for everyone!  Oh, yeah, those WiFi hot spots also let you drop any file you want on the system.  Thank you Lenovo, I always wanted corporations to donate their entire network to me!  That's right, Lenovo has handed the keys to your network over to anyone that knows about this ShareIT thing.

Let's do a quick recap here...

  1. Attack customers.
  2. Get caught.
  3. Casually include major security mistakes latter on.
  4. Make sure NEW security mistakes are caught by your own system first.
  5. Point fingers at other companies accusing them of doing the same thing (they haven't)
  6. Use the new security failings to make people forget about the earlier purposeful actions.

 

Any company using Lenovo today is in known breach of HIPPA/PCI or just about any other security mandates, and any person recommending Lenovo today brings a quote I heard recently to mind (I'm not sure who the original quote came from) "Sufficiently advanced incompetence is indistinguishable from malice."

References:
https://mangolassi.it/topic/11320/pentagon-warns-against-using-lenovo-equipment
http://www.centrelawgroup.com/pentagon-issues-internal-warning-against-lenovo-equipment/
https://mangolassi.it/topic/7748/lenovo-screws-the-pooch-yet-again-on-the-security-front
https://www.theinquirer.net/inquirer/news/2443276/wtf-lenovo-protects-your-backdoor-security-with-a-really-really-really-bad-password
https://mangolassi.it/topic/5751/lenovo-accused-of-using-rootkit-like-methods-to-sneak-software-onto-clean-windows-installs
https://hothardware.com/news/lenovo-accused-of-using-rootkit-to-sneak-its-software-onto-clean-windows-installs
https://www.cnet.com/how-to/lenovo-superfish-adware-uninstall-fix/
http://fortune.com/2015/12/08/lenovo-solution-center-hack/
https://www.pcmag.com/article2/0,2817,2477277,00.asp
https://arstechnica.com/information-technology/2015/02/lenovo-pcs-ship-with-man-in-the-middle-adware-that-breaks-https-connections/