Hacker News new | comments | show | ask | jobs | submit login

Lenovo is now using rootkit-like techniques to install their software on CLEAN Windows installs, by having the BIOS overwrite windows system files on bootup. Someone detailed this here: http://arstechnica.com/civis/viewtopic.php?p=29497693&sid=dd...

I had this happen to me a few weeks ago, on a new Lenovo laptop, doing a clean install with a new SSD, Win 8 DVD + wifi turned off. I couldn't understand how a Lenovo service was installed and running! Delete the file and it reappears on reboot. I've never seen anything like this before.

Something to think about before buying Lenovo. I searched and found almost nothing about this, so it may be something they started doing in the last few months...

This is getting increasingly disturbing with each new generation of hardware.

You no longer have the right to own the hardware you buy. Now it has become a service subject to their terms.

That Windows Platform Binary Table sounds disturbing and is ripe for being exploited.

Interesting info found [1]:

> Lenovo Service Engine (LSE) is a utility in the BIOS for certain Lenovo desktop systems. It automatically sends non-personally identifiable system data to a Lenovo server one time when the system is first connected to the internet and then does not send any additional data.

> The system data that LSE collected includes machine type and model, system UUID, region and date. No personally identifiable information is collected.

> Once this data is sent, the service is disabled automatically.

> LSE uses the Microsoft Windows Platform Binary Table (WPBT) capability. Microsoft has recently released updated security guidelines on how to best implement this feature. Lenovo’s use of LSE is not consistent with these guidelines and so Lenovo has stopped shipping desktop models with this utility and recommends customers with this utility enabled run a “clean up” utility that removes the LSE files from the desktop. Instructions on how to download and run this program are below.

> The LSE functionality has been removed from newly manufactured systems.

When some people insist on having a Libreboot/Coreboot supported laptop, they call them crazy and idealistic. Now this is what happens.

It's just a shame that with Intel ME the Libreboot/Coreboot devs have given up on Intel machines. I'm very interested in the Purism Librem laptop but I have low hopes. Maybe the future will be ARM.

[1] https://support.lenovo.com/nz/en/product_security/lse_bios_d...

> It's just a shame that with Intel ME the Libreboot/Coreboot devs have given up on Intel machines. I'm very interested in the Purism Librem laptop but I have low hopes. Maybe the future will be ARM.

This isn't true. Libreboot is the fork that only works with completely free platforms, which the newer Intel chipsets make impossible. Coreboot is still very much committed to supporting new Intel chipsets, although the mainboard availability of course depends on what developers have time and interest for.

Google Chromebooks all ship with Coreboot, so they're fully supported and a great choice if you're trying to make the most free usable computer you can get. They can all run Linux, and some of them even Windows with a little more effort. They also have ARM-based ones, some of which are completely blob-free.

Also, if you're putting your hopes on Pursim this may be of interested to you: http://blogs.coreboot.org/blog/2015/08/09/the-truth-about-pu...

Very interesting, thanks for that link.

"If LSE is not enabled, it will not be shown under the “Security” tab in the system BIOS and the user is not affected"

FYI, This was not true for me - there was no option in the BIOS regarding this. So I'd say, the lack of this in your BIOS setup screen does NOT mean it is not there!

> It's just a shame that with Intel ME the Libreboot/Coreboot devs have given up on Intel machines.

The new ones, perhaps. Older ThinkPads (like the X201 and T530) are still relatively-well supported by Coreboot (though apparently ACPI isn't quite green yet).

Personally, I'd like a return to the old days of Open Firmware on some RISC-running machine (I'm partial to POWER or MIPS, but ARM would be okay, too).

Not Intel ME, Intel Boot Guard.

RMS is sounding less and less crazy with discoveries like this. To think a manufacturer would essentially rootkit their own machines is testament to how bad things have become.

Would running TrueCrypt full disk encryption protect you from your own hardware? If the BIOS can't read the disk on boot, I don't think it would inject the binary into the file system.

No - see my reply to the Ars thread. Windows 8 introduced an "official" way to do this called "Windows Platform Binary Table". Every time Windows boots, it checks your ACPI table for an entry called "WPBT", writes that to disk as "wpbbin.exe", and executes it. There does not seem to be any way to disable this behavior in Windows. Truecrypt would not help in this case because it happens after boot.

Another [very valid!] reason not to run Windows IMHO. This kind of thing is totally unacceptable.

To be fair, the guidelines for this feature include

> The authenticated device owner should have the ability to disable or remove this functionality if desired.


The feature shouldn't exist in the first place. If a backdoor is hidden, this is an unlocked door with a "Please don't enter" sign on it.

You know, I have to agree. My gut reaction is "blame the policy not the technology", but after looking closely, I'm struggling to see how this feature could ever be applied towards the user's best interests.

I would just add, it took them nearly 4 years to add these guidelines!

>November 29, 2011 First publication

>July 8, 2015, 2015 Revision to include security guidance and requirements

About thinking before buying Lenovo...

I've bought a Lenovo notebook, wanted to download a copy of Windows from them (it's OEM), and searched on their forums for clues, since I didn't find anything on the site. This is what a moderator wrote

> If what you wish to achieve is an OEM imaged system, the only way is to obtain official recovery media through official channels. There are no legal downloads available, therefore discussion of it is not allowed. You may contact Service (info and hours below) to discuss your options.


You must buy DVDs from them. You can't even _talk_ about alternatives.

Better response than I got. This was just a couple months ago, the laptop shipped with Superfish installed on it in spite of assurances that it wouldn't, so I called them to ask where I could get driver installers for after I wipe / reinstall windows. I was told that I could under no circumstances reinstall Windows (even if I went and bought a brand new Windows license), that it would void my warranty and break everything and there were no drivers because: "it's not Microsoft Windows on these machines, it's Lenovo Windows".

I am never buying from them again, and at this point there is literally nothing they can do to regain my trust as a consumer.

I can say with absolute certainty that (at least in America) reinstalling Windows does NOT void your warranty (despite what any rep may tell you), and selling you a device with a problem they assured you didn't exist is fraud.

I would return the laptop for a refund (regardless of how long you've had it), and if they refuse to take it back (which they likely will), file a small claims case in NC (I know, not necessarily an option depending on where you are). They may try to argue that you 'agreed' to arbitration, but because they misrepresented the quality of the device, you can argue that agreement was 'signed' under false pretenses, and isn't legally binding.

I'd also post recordings of your support calls online if you have them, or call back and record new ones if you don't. Posting those online does not run afoul of the broadcast laws which apply to phone recordings, and recording calls with only one party aware is legal in all but 11 states, and everywhere once they tell you they're recording the call.

I'm doing the same damn thing with the tech companies that screwed me over, so I made sure to do my homework.

I think after superfish and now this anyone would be mad to buy Lenovo - I work for large companies - and I would never ever recommend them (luckily I havent worked somewhere recently that uses them).

We (the US) allows IBM to sell its PC Division to China which becomes Lenovo, and you are now somehow surprised something like this happens? Failure to retain a comparative advantage in global free trade policy has many downsides. I fear this is just the tip of the iceberg.

"Comparative advantage" has a precise meaning in economics, and this is not one of the situations where the precise meaning applies.

"Strategic advantage" would be a better fit for your comment.

The majority of the profit from the sale of Windows PCs goes to Microsoft because everything in the PC besides the operating system are "commodities", meaning they are available from multiple suppliers who must compete with each other. (Actually Intel might be taking a significant fraction of the profits, too; I'm not sure.) Lenovo wants to become more than a supplier of a commodity because in a mature, shrinking market, there is little profit in supplying a commodity, and it is being clumsy and ham-handed about it, which annoys their customers.

I don't see how this is a danger to the US. If Lenovo persists in being clumsy, customers will simply shift to other suppliers. This is not a social crisis; this is just a relative newcomer to the game who did pretty well when the market was expanding and is not responding well to the end of the expansion.

I've worked in computer repair shops, and what you've described about OEM Windows is how it's worked for years. You have to either use the recovery partition that comes with the machine or order new recovery media from the manufacturer. This isn't unique to Lenovo.

I find a nice little program called Daz Loader works much more smoothly than Lenovo support. As long as you have the correct SLIC code in the BIOS you are golden.

Do manufacturers treat these DVDs as a way to make more profit?

As others have said there seems to only be a single Word document Microsoft have published on the "Windows Platform Binary Table". I then found the following MSDN Forums question (with posts between 2013-07-16 and 2013-07-18) about how to implement WPBT by someone with the username "kevinwu1980". A Google search for "kevinwu1980 lenovo" gave me this (the page is now a redirect). If that MSDN Forums post is by the same guy then Lenovo was likely working on this in mid-2013:

> Kernel Service Protection for Client Security

> doi.ieeecomputersociety.org/10.1109/MSP.2010.112

> by HJK Wu - ‎2010

> ... for Client Security. Hui Jun (Kevin) Wu , Lenovo Global Desktop Development Laboratory ..... Contact him at kevinwu1980@gmail.com or wuhj@lenovo.com.


Wow, nice find!

Also, I see Microsoft has updated that document in the last two weeks, apparently due to Lenovo's use of it.


"a security vulnerability that was discovered ..by an independent security researcher, Roel Schouwenberg... As a result of these findings, Microsoft recently released updated security guidelines...on how to best implement this Windows BIOS feature."

tl;dr version (since this blew up on Reddit and there's lots of stuff to digest)

* in Windows 8+ any PC vendor can include an .EXE in Firmware/BIOS, and Windows will look for this on each boot, and run it right before you log in. This is called "Windows Platform Binary Table". This is something Windows does, and there is no way to turn this off. To me, this is the bigger story, because vendors may now start to use this method to install anything, making a clean windows install impossible.

* Lenovo uses this method if you try to install Windows 8, but if you install Windows 7, it does the sketchy "overwrite your system file (autochk.exe)" method instead.

* Either way, Lenovo installs a service on your PC. It was found to have security bugs. I can't find the link, but they said this was placed on some laptops/PC's from late 2014 to Summer 2015. They've released a new firmware 2 weeks ago that turns this off.

I would like to know if any non-Lenovo pc's have used this "Windows Platform Binary" method to run software from the firmware, because when I searched for it, I saw people with Dell's and HP's who thought they might have a virus, posting scan logs that contained the text "wpbbin.exe" (which would only be there if Windows found it in the BIOS and put it there) For example see https://www.google.com/search?q="wpbbin.exe"+site%3Aforums.m...

Check your PC:

Windows 8 and up: Check your event log for "Microsoft-Windows-Subsys-SMSS" and if you see "A platform binary was successfully executed." your PC vendor is doing this. Or, look for a file called wpbbin.exe in windows\system32. (This file would ONLY exist if Windows found it in your firmware and ran it.)

Windows 7: Verify your autochk.exe is legit. I think you could simply do: "sfc /VERIFYONLY" in cmd.exe (as Admin) but I did not test it. My autochk.exe was signed by Lenovo in 2014 (which tipped me off it didn't come from the Windows 7 DVD I got in 2010!).

Wow… first Superfish and now this? My next computer certainly won’t be a Lenovo. Thanks for the heads-up.

That's incredible and should be more widely reported.

I just replied to the Ars thread - it's even stranger. Windows 8 and up have an officially Microsoft sanctioned way of letting manufacturers load software through Firmware, called "Windows Platform Binary Table". It means it is impossible to do a clean install of Windows now. I've seen zero mention of it anywhere - maybe Lenovo was the first to pull the trigger and make use of it recently.

This is unbelievable. How the hell did things get to this point? How much worse are they going to get?

>>How the hell did things get to this point?

Because people continue to make excuses for MS and continue to buy windows after they do things like this

>How much worse are they going to get?

Lots because people will whine on the Internet but will not do anything that actually matters or will make a difference;; You know like using an Operating System that respects your freedom...

"Windows Platform Bloat Table" seems like a more appropriate name, IMHO.

Does anyone have a laptop on the affected list, that's seeing this right now? If so, get in touch? owen@thenextweb.com

Your story on thenextweb was excellent - it's a complex story and you managed to explain it all very well.


Does anyone know if Lenovo try to put some rootkit on Linux / BSD based OSes? I mean, if it does attempt to do it on Windows, it may as well do it on Linux / BSD based OSes.

I was wondering about buying a ThinkPad soon to improve my hardware... And I'm pretty scared about this.

You'd be safe. First thing is that they are probably uninterested in we Linux & BSD users to begin with, but, entertaining the notion, I have a few thoughts.

The two methods of how this works could be blocked. For systems without support for WPBT, where the firmware attempts to overwrite system files, one could use whole drive encryption (like LUKS) on Linux to prevent the firmware from being able to write directly onto your drive. If they are more sneaky and have this tied directly to the firmware methods for writing to disk, you can always compile the Linux kernel to not require the bios after loading the kernel. This may be the default mode of operation now, i'm not entirely certain.

For the systems using WPBT, its even easier. There is no way in hell they could get a patch into the mainline or any real community kernels that would load contents of the system firmware and immediately execute them. No self respecting distribution would enable this either without the user explicitly authorizing it in the first place either.

If they are super evil and actually attempt to inject code directly into the system memory, this would depend on a explicit kernel version because the in memory model & organization aren't guaranteed to be the same between kernel versions. The last thing someone wanting to take over your computer wants to do is render it unstable. It just makes what they are doing more apparent.

The fact that Microsoft actually provided a way of having binaries executed without the user's permission (or ability to turn it off) is absolutely unacceptable. It's like they want to be able to run what they want on our systems...

Linux' boot process is at its core designed around mechanisms that allow the bootloader to control binary execution: they're called the kernel command line (init=) and the initramfs. Granted, the bootloader is not the firmware, but since everyone is using GRUB these days it wouldn't be too hard for firmware to locate the right configuration pieces to overwrite. And since initramfs is by design unencrypted because you need it to decrypt the rest, it's trivial to get your evil.ko injected in there.

There's only so much you can do against evil firmware, unfortunately. Getting a coreboot/libreboot capable machine is the only real way out.

And for now, there is no report about a ThinkPad getting an unknown kernel module or any config tamper attempt from an unknown source?

The problem with coreboot/libreboot capable machine is they can't longer be shipped with Intel newer stuff. (thanks to Intel bastards).

I feel we are kind of stuck in eating proprietary and evil software until we die.

CompuTrace has been doing it for years for their "Theft Protection". Opt-out, too, and included on about every Windows laptop.

There is no setting I can see to opt-out of what the Lenovo is doing. It's not an anti-theft software, it's software that makes popups appear, asking you to install their software.

Yea, the arms race against laptop thieves is ridiculous.

Edit: I was wrong on all counts, see chuckup comment below. This happens after boot in cooperation with the OS. Encryption and secure boot are irrelevant.

I presume this type of firmware enabled OS modification will not be able to work with drive encryption enabled, but does secure boot help at all in this situation? Presumably Lenovo includes their own signing key in their firmware so their signed executables would also be trusted. Or is this not something secure boot would verify?

Q: If I use linux as a host OS for VMWare, and install a Windows guest, will I avoid these types of issues?

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact