
Lenovo: researchers find 'massive security risk' - tpatke
http://www.bbc.co.uk/news/technology-32607618
======
orthecreedence
It seems from the article that the best way to handle this is to uninstall all
the trash that comes with a new computer (or hell, reinstall windows from
scratch). Do I need Lenovo's power management tools? No. Do I need its Wifi
connection manager? No. Windows has all this stuff already and it works
really, really well.

~~~
ams6110
Where do you get the installation media? I haven't seen more than a "system
recovery disk" shipped with a consumer machine in at least a decade.

And I don't know about Lenovo, but I know that on the Dell laptops I last
dealt with could never get a stock Windows 7 install to be stable without
downloading Dell's drivers for the video card at minimum.

~~~
aylons
My Lenovo came with a recovery partition from which I could reinstall Windows.
However, I suppose it would also automatically reinstall crapware, which is
beside the point.

The solution was to download an official Windows 8 copy from Microsoft's
website - the Windows installer will get the license key from the EFI.

Not as good as a recovery disk, as you will need to download and install
manually all drivers, but vetting everything is part of the point.

EDIT: for those looking, this is the link from where I downloaded the Windows
8 binary from Microsoft website: [http://windows.microsoft.com/en-
us/windows-8/create-reset-re...](http://windows.microsoft.com/en-
us/windows-8/create-reset-refresh-media)

~~~
kbenson
I wasn't aware you could get vanilla windows install media for OEM license
keys. Does this work with older windows versions as well? I have a Windows 7
Laptop that I would _love_ to do this with,

~~~
smwht
It's a new feature with windows 8[1]. Unofficially you can install windows 7
using the OEM key (note this is not the key printed on the sticker on your
laptop) and then activate it.

[1] [http://arstechnica.com/gadgets/2015/02/save-yourself-from-
yo...](http://arstechnica.com/gadgets/2015/02/save-yourself-from-your-oems-
bad-decisions-with-a-clean-install-of-windows-8-1/)

------
themeek
Lenovo has, for years, been banned from US government use. They even have a
patent on recovering TPM keys
([http://www.google.com/patents/US8908867](http://www.google.com/patents/US8908867)).

It is well known (via Snowden) that the US installs backdoors into US hardware
and software for export to China, and it has for at least 15 years warned
about the same from imports.

So none of this is particularly new. What is new is that the US is now moving
against China on all fronts to prevent it from acquiring superpower status -
to isolate it economically and politically, to block its trade and
international investment programs, and to increase the risk of its using its
military (with the second largest funding of any nation) to project power
lawfully in the Asia Pacific.

So these articles come at a good time for the US.

You should not trust pretty much any hardware - recent revelations have shown
that products come with backdoors; that is the article does not establish the
absence of 'security flaws' by other manufacturers.

~~~
drzaiusapelord
There's a big difference in intercepting packages and installing backdoors in
a targeted and legal way, at least acording to SCOTUS who have zero problems
with our status quo SIGINT operations thus making them lawful - and massive
cyberwar attacks from China and cooked in state mandated malware.

I know HN hates the US and thinks China and Russia are bastions of liberty and
human rights, but the US's method are a million times more ethical than
autocratic states in regards to SIGINT. Heck, Putin had Kaspersky give him
information on journalists he didn't like. Meanwhile, my Russian friends on VK
are always bugging me about citizenship and H1bs. Yeah, they WANT to come
here, pal. They hate it there, they aren't blinded by anti-US, anti-UN, anti-
NATO propaganda so popular here. They're gentle geeks in fear of a dictator
who could eliminate them at any moment.

If I had the power and wealth I would hire them all and bring them to the
states. Every. Single. One.

>China on all fronts to prevent it from acquiring superpower status - to
isolate it economically and politically,

We power their economy via our manufacturing and via the sales of our
products. If anything they are close economic partners. Are we moving all of
our manufacturing to Mexico or something? Seems to me the US is very much tied
to the success of China. I can't interpret your statement as anything but
incredibly dishonest. Does our national firewall block alibaba now? Oh right,
we don't have a national firewall. They do. hell, my own company is tortured
by their VPN and censorship limitations. This is a daily headache for me and
I'm TRYING TO DO BUSINESS WITH THEM. If anyone is business hostile its them -
to us. Hell, they outright block Google services on Android.

> and to increase the risk of its using its military

This is asinine. China is unilaterally taking over disputed islands with zero
attempts to use diplomacy, the UN, etc. The Japanese, Korea, and others have
claims on those islands. Why are you dismissing their rights? Because they are
"evil US" partners as well?

Meanwhile the Chinese prop up the worst state in modernity which has become a
mass murder state we have not seen since Stalinist times. I was just in South
Korea and its complete madness that a modern democratic state needs to be
terrorized by a client Chinese state 24/7 via a madman with nuclear weapons
because the CCP likes to "stick it to America." The Koreans we met, drank
with, laughed with, etc were no different than me. They bought us gifts and
were so gentle, humorous, and loving (especially of children and the elderly)
it breaks my heart to think they are one madman's decision away to shell Seoul
which would destroy it, and them, in minutes. But I get to fly home to a
secure nation because of our strong military and they get to sit there waiting
the CCP to tell their pet attack dog to invade or have their pet attack dog go
off chain and shell a few things and blow up some nukes to terrorize them. Its
depressing. The one man who had a son in the military was so proud of his
son's service and showed us many photos, knowing full well, that kid is
mincemeat when the North decides it times to roll tanks with Beijing's
blessing. The kid looked 16.

> to project power lawfully in the Asia Pacific.

This is pro-China bullshit right here. Lawfully by whose standards? The CCP?
Oh okay. Only on a kiddie politics site like HN or reddit would a dishonest
and extremely biased anti-US comment like yours be voted to the top. Grow up.

~~~
coldpie
> I know HN thinks China and Russia are bastions of liberty and human rights

Citation needed.

~~~
MaulingMonkey
Confusion over "HN" being surprised, and finding it noteworthy, when China and
Russia are "Playing Against Type"?

------
nemoniac
I've had a bunch of Lenovo Thinkpads. Each time, the first thing I do is wipe
it and install Linux.

~~~
loudmax
Thinkpads have long had good driver support for Linux. Pity they don't sell a
Linux notebook like Dell Sputnik.

~~~
rockymeza
would you trust your Linux installation if Lenovo had installed it?

~~~
rifung
No but I would at least have more confidence in the driver support for the
hardware included.

~~~
dorfsmay
You can check the
[http://www.thinkwiki.org/wiki/ThinkWiki](http://www.thinkwiki.org/wiki/ThinkWiki)
for compatibility issues before you buy.

------
SixSigma
> The other two flaws would allow attackers to gain a greater level of control
> over a system than they should have.

What level of control should an attacker have ?

~~~
mryan
Some of these attacks are remote, some are local privilege escalation flaws.

The local attacker should have user-level access, but instead has
admin/system-level access.

~~~
higherpurpose
Researchers seem to encounter a handful of privilege escalation
vulnerabilities for Windows every year. I wonder if this will ever be "fixed"
(dramatically reduced in number).

A well organized cyber-crime group or a whole number of spy agencies could
have access to at least one such vulnerability throughout the year.

~~~
zamalek
This specific case is not Windows. It's Lenovo's unbelievable hostility toward
their customers in combination with their amazingly aptitude for being
completely incompetent.

I would venture to guess that the adware service is running as SYSTEM. Any
vulnerability in the service would escalate to system. You can do _exactly_
the same thing in Linux (daemon running as root) and it would have a very
similar surface area.

The only difference in this specific case is that Windows has idiots for
hardware manufacturers. The only way to "fix" it would be for Microsoft to
encourage users to wipe the default installation.

------
DanBlake
Kind of crappy title, and mostly old news.

Should be : Researchers: Lenovo computers contain 'massive security risk'

------
lifeisstillgood
So I feel like I missed a memo. Is there a list / primer on what we do and do
not know about hardware backdoors, firmware backdoors and software backdoors?

This bothers me - a16z podcast also threw up a reference to "200 security
hygiene" functions - keeping patches up to date and encryption at rest. But
Incan only get to about ten.

Is there an appendix in SysAdmin / oReilly I should read or do I have to watch
all the CEF notifications and work backwards to what preventative action
Inshould stick in my sh file.

It's a serious question - I just don't feel I know what is dangerous out there
anymore let alone have it automated.

------
badloginagain
I have a Lenovo ThinkPad, if I blow away the stock version of Windows 8 I'm
currently running with an incoming Windows 10, will that blow away all the
Lenovo bloatware?

~~~
hackuser
> if I blow away the stock version of Windows 8 I'm currently running with an
> incoming Windows 10, will that blow away all the Lenovo bloatware?

It will remove the Lenovo applications, but the 'bloatware' and security risks
could exist elsewhere, or example in BIOS or in a separate partition on the
hard drive.

~~~
yellowapple
If you repartition the hard drive, at least that latter point should be
resolved, though at the cost of blowing away recovery data.

------
smarterchild
[https://support.lenovo.com/us/en/product_security/lsu_privil...](https://support.lenovo.com/us/en/product_security/lsu_privilege)

If this is considered "Medium" Severity, how bad would it have to be to become
High?

~~~
poizan42
Something like the LSASS vulnerability used by the Sasser worm?
[http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=CAN-2003-0...](http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=CAN-2003-0533)

Or even worse - it's not inconceivable that some a bit too clever firmware for
a ethernet or wifi device could be exploited by a specially crafted IP package
that could be sent over the public internet. As such a device usually has DMA
access that would be _really_ bad. I don't think even "High" would be
sufficient in that case though.

------
jefurii
Yet another reason to wipe the drive on a new computer and just install
Linux...

~~~
chaostheory
Don't most people on HN already do this? I do use Windows but my Lenovo
machines always run some variant of Linux.

------
ryanlol
I really don't think a privesc vulnerability on Windows can be considered a
"massive security risk" at this point.

