I had this happen to me a few weeks ago, on a new Lenovo laptop, doing a clean install with a new SSD, Win 8 DVD + wifi turned off. I couldn't understand how a Lenovo service was installed and running! Delete the file and it reappears on reboot. I've never seen anything like this before.
Something to think about before buying Lenovo. I searched and found almost nothing about this, so it may be something they started doing in the last few months...
You no longer have the right to own the hardware you buy. Now it has become a service subject to their terms.
That Windows Platform Binary Table sounds disturbing and is ripe for being exploited.
Interesting info found :
> Lenovo Service Engine (LSE) is a utility in the BIOS for certain Lenovo desktop systems. It automatically sends non-personally identifiable system data to a Lenovo server one time when the system is first connected to the internet and then does not send any additional data.
> The system data that LSE collected includes machine type and model, system UUID, region and date. No personally identifiable information is collected.
> Once this data is sent, the service is disabled automatically.
> LSE uses the Microsoft Windows Platform Binary Table (WPBT) capability. Microsoft has recently released updated security guidelines on how to best implement this feature. Lenovo’s use of LSE is not consistent with these guidelines and so Lenovo has stopped shipping desktop models with this utility and recommends customers with this utility enabled run a “clean up” utility that removes the LSE files from the desktop. Instructions on how to download and run this program are below.
> The LSE functionality has been removed from newly manufactured systems.
When some people insist on having a Libreboot/Coreboot supported laptop, they call them crazy and idealistic. Now this is what happens.
It's just a shame that with Intel ME the Libreboot/Coreboot devs have given up on Intel machines. I'm very interested in the Purism Librem laptop but I have low hopes. Maybe the future will be ARM.
This isn't true. Libreboot is the fork that only works with completely free platforms, which the newer Intel chipsets make impossible. Coreboot is still very much committed to supporting new Intel chipsets, although the mainboard availability of course depends on what developers have time and interest for.
Google Chromebooks all ship with Coreboot, so they're fully supported and a great choice if you're trying to make the most free usable computer you can get. They can all run Linux, and some of them even Windows with a little more effort. They also have ARM-based ones, some of which are completely blob-free.
Also, if you're putting your hopes on Pursim this may be of interested to you: http://blogs.coreboot.org/blog/2015/08/09/the-truth-about-pu...
"If LSE is not enabled, it will not be shown under the “Security” tab in the system BIOS and the user is not affected"
FYI, This was not true for me - there was no option in the BIOS regarding this. So I'd say, the lack of this in your BIOS setup screen does NOT mean it is not there!
The new ones, perhaps. Older ThinkPads (like the X201 and T530) are still relatively-well supported by Coreboot (though apparently ACPI isn't quite green yet).
Personally, I'd like a return to the old days of Open Firmware on some RISC-running machine (I'm partial to POWER or MIPS, but ARM would be okay, too).
Would running TrueCrypt full disk encryption protect you from your own hardware? If the BIOS can't read the disk on boot, I don't think it would inject the binary into the file system.
> The authenticated device owner should have the ability to disable or remove this functionality if desired.
The feature shouldn't exist in the first place. If a backdoor is hidden, this is an unlocked door with a "Please don't enter" sign on it.
>November 29, 2011 First publication
>July 8, 2015, 2015 Revision to include security guidance and requirements
I've bought a Lenovo notebook, wanted to download a copy of Windows from them (it's OEM), and searched on their forums for clues, since I didn't find anything on the site. This is what a moderator wrote
> If what you wish to achieve is an OEM imaged system, the only way is to obtain official recovery media through official channels. There are no legal downloads available, therefore discussion of it is not allowed. You may contact Service (info and hours below) to discuss your options.
You must buy DVDs from them. You can't even _talk_ about alternatives.
I am never buying from them again, and at this point there is literally nothing they can do to regain my trust as a consumer.
I would return the laptop for a refund (regardless of how long you've had it), and if they refuse to take it back (which they likely will), file a small claims case in NC (I know, not necessarily an option depending on where you are). They may try to argue that you 'agreed' to arbitration, but because they misrepresented the quality of the device, you can argue that agreement was 'signed' under false pretenses, and isn't legally binding.
I'd also post recordings of your support calls online if you have them, or call back and record new ones if you don't. Posting those online does not run afoul of the broadcast laws which apply to phone recordings, and recording calls with only one party aware is legal in all but 11 states, and everywhere once they tell you they're recording the call.
I'm doing the same damn thing with the tech companies that screwed me over, so I made sure to do my homework.
"Strategic advantage" would be a better fit for your comment.
The majority of the profit from the sale of Windows PCs goes to Microsoft because everything in the PC besides the operating system are "commodities", meaning they are available from multiple suppliers who must compete with each other. (Actually Intel might be taking a significant fraction of the profits, too; I'm not sure.) Lenovo wants to become more than a supplier of a commodity because in a mature, shrinking market, there is little profit in supplying a commodity, and it is being clumsy and ham-handed about it, which annoys their customers.
I don't see how this is a danger to the US. If Lenovo persists in being clumsy, customers will simply shift to other suppliers. This is not a social crisis; this is just a relative newcomer to the game who did pretty well when the market was expanding and is not responding well to the end of the expansion.
> Kernel Service Protection for Client Security
> by HJK Wu - 2010
> ... for Client Security. Hui Jun (Kevin) Wu , Lenovo Global Desktop Development Laboratory ..... Contact him at firstname.lastname@example.org or email@example.com.
Also, I see Microsoft has updated that document in the last two weeks, apparently due to Lenovo's use of it.
"a security vulnerability that was discovered ..by an independent security researcher, Roel Schouwenberg... As a result of these findings, Microsoft recently released updated security guidelines...on how to best implement this Windows BIOS feature."
* in Windows 8+ any PC vendor can include an .EXE in Firmware/BIOS, and Windows will look for this on each boot, and run it right before you log in. This is called "Windows Platform Binary Table". This is something Windows does, and there is no way to turn this off. To me, this is the bigger story, because vendors may now start to use this method to install anything, making a clean windows install impossible.
* Lenovo uses this method if you try to install Windows 8, but if you install Windows 7, it does the sketchy "overwrite your system file (autochk.exe)" method instead.
* Either way, Lenovo installs a service on your PC. It was found to have security bugs. I can't find the link, but they said this was placed on some laptops/PC's from late 2014 to Summer 2015. They've released a new firmware 2 weeks ago that turns this off.
I would like to know if any non-Lenovo pc's have used this "Windows Platform Binary" method to run software from the firmware, because when I searched for it, I saw people with Dell's and HP's who thought they might have a virus, posting scan logs that contained the text "wpbbin.exe" (which would only be there if Windows found it in the BIOS and put it there) For example see https://www.google.com/search?q="wpbbin.exe"+site%3Aforums.m...
Check your PC:
Windows 8 and up: Check your event log for "Microsoft-Windows-Subsys-SMSS" and if you see "A platform binary was successfully executed." your PC vendor is doing this. Or, look for a file called wpbbin.exe in windows\system32. (This file would ONLY exist if Windows found it in your firmware and ran it.)
Windows 7: Verify your autochk.exe is legit. I think you could simply do: "sfc /VERIFYONLY" in cmd.exe (as Admin) but I did not test it. My autochk.exe was signed by Lenovo in 2014 (which tipped me off it didn't come from the Windows 7 DVD I got in 2010!).
Because people continue to make excuses for MS and continue to buy windows after they do things like this
>How much worse are they going to get?
Lots because people will whine on the Internet but will not do anything that actually matters or will make a difference;; You know like using an Operating System that respects your freedom...
I was wondering about buying a ThinkPad soon to improve my hardware... And I'm pretty scared about this.
The two methods of how this works could be blocked. For systems without support for WPBT, where the firmware attempts to overwrite system files, one could use whole drive encryption (like LUKS) on Linux to prevent the firmware from being able to write directly onto your drive. If they are more sneaky and have this tied directly to the firmware methods for writing to disk, you can always compile the Linux kernel to not require the bios after loading the kernel. This may be the default mode of operation now, i'm not entirely certain.
For the systems using WPBT, its even easier. There is no way in hell they could get a patch into the mainline or any real community kernels that would load contents of the system firmware and immediately execute them. No self respecting distribution would enable this either without the user explicitly authorizing it in the first place either.
If they are super evil and actually attempt to inject code directly into the system memory, this would depend on a explicit kernel version because the in memory model & organization aren't guaranteed to be the same between kernel versions. The last thing someone wanting to take over your computer wants to do is render it unstable. It just makes what they are doing more apparent.
The fact that Microsoft actually provided a way of having binaries executed without the user's permission (or ability to turn it off) is absolutely unacceptable. It's like they want to be able to run what they want on our systems...
There's only so much you can do against evil firmware, unfortunately. Getting a coreboot/libreboot capable machine is the only real way out.
The problem with coreboot/libreboot capable machine is they can't longer be shipped with Intel newer stuff. (thanks to Intel bastards).
I feel we are kind of stuck in eating proprietary and evil software until we die.
I presume this type of firmware enabled OS modification will not be able to work with drive encryption enabled, but does secure boot help at all in this situation? Presumably Lenovo includes their own signing key in their firmware so their signed executables would also be trusted. Or is this not something secure boot would verify?