Hacker News new | past | comments | ask | show | jobs | submit login
Lenovo crams unremovable crapware into laptops by hiding it in the BIOS (2015) (theregister.co.uk)
130 points by beefhash 30 days ago | hide | past | web | favorite | 85 comments

Some of my highest rated comments were for Apple's recent failures. Their laptops shipped with an unworkable keyboard. New product lines were confusing. The existence of the MacBook alongside the MacBook Air defied logic. Their "pro" machines were no longer pro. The list went on.

Apple has changed some of that, but even if they don't, my next laptop will still be a Mac.

Because Apple doesn't install shit on my machine. Apple fixes security holes. Apple doesn't cheat me on my privacy when I buy a machine.

Apple might suck donkey balls but everyone else sucks even more. Pardon my French.

Thinkpads do not have this crapware installed and can run Linux exceptionally well. You should look into one, because they're the best engineering laptop on the market.

Thinkpads have excellent keyboards, are user serviceable, support SIM cards, have tons of ports, are rugged yet lightweight. The manuals have hardware break downs to help you reinstall battery, RAM, drives, modems, etc.

The machines last forever. I have a few that are over a decade old and are still a joy to write software on.

Thinkpads are truly at another level.

Thinkpads do not have this crapware installed and can run Linux exceptionally well

It's still supporting a company that thinks it's OK to install crapware on their consumer machines. Machines intended for the people least able to mitigate the problem.

Even if someone's not an Apple fan, he's right to send his money to another company.

This. I was once such an avid Thinkpad fan, but several bad Lenovo practices and horrible experiences with their other machines have made me distrust this company so much that I've resisted the Thinkpad temptation for years now.

Perhaps, if Lenovo sees Thinkpads selling more, they might think the market prefers solid machines and rejects preinstalled crapware. People voting by buying what they actually want, you know.

> It's still supporting a company that thinks it's OK to install crapware on their consumer machines.

I still use an Android phone even though I despise what Google has done for the open internet. Amp, unsemantic HTML5, promulgation of video ads, Chrome monoculture, dropping XMPP and RSS, search ad extortion, tracking, recaptcha, YouTube bad behavior, the app store monopoly / protection racket, etc. They still do great work in many areas, and you can't cut off the nose to spite the face.

At the end of the day, I'm buying a tool that lets me effectuate the changes I want to make. I buy the best tool that works for me. Thinkpads are marvelous, and you should try one.

The pressure on Lenovo, Google et al will never be sufficient to force them to change if people don't retaliate forcefully enough.

If people don't react strongly, even to the point of temporarily damaging their own interests, companies can keep incrementally making things worse without provoking a reaction, by providing more goodies with along with the crap.

Thinkpads are marvelous, and you should try one.

I have two at work that I use for testing. But for the kind of development I do, I need different tools. It's a shame, too, since I'm an old school IBM fan. I bring the ThinkPads to our testers in an IBM-branded backpack built for two laptops.

Two 90's laptops? What's that, like nineteen modern ones?

Fool! Don't you know that Apple is the only technology company that cares about you, and to buy from anyone else is to reward the enemy for being your enemy? :)

I'll call BS. Granted, this was a few years ago, but the W520 and W530 had quite a few issues with the Advanced Programmable Interrupt Controller (APIC), and you had to boot them with `nox2apic`. Additionally, although they had both integrated and discrete graphics cards, only the discrete was routed to the video out (no mux). Switching wasn't good on Linux, so you basically had to force discrete only, which knackered the battery life.

All machines can have issues. By all means, shop around and buy the best machine for your use-case. But brand loyalty is misplaced.

Yes, definitely fo the research for the specific model vs Linux compatibility.

Discrete graphics is always a source of pain in current laptops (ever since the dgpu designs stopped being directly connected to displays), avoid.

Until I read this, Thinkpads were at the top of my list for a new laptop. But even if they didn't do this on Thinkpads, the fact that Lenovo did this at all, does not reflect well on any of their brands.

Not to mention a 3 year on-site warranty (pretty much..it slightly varies on region) as standard on a T series.

My 470P was expensive for a windows laptop at £1368 (I went for the 2560x1440/nvme/i7-7700HQ) but the peace of mind of having it fixed within days combined with the build quality still makes me happy with it as a purchase.

> You should look into one, because they're the best engineering laptop on the market.

Dell Precision line may not have the great TP keyboard, but otherwise it's hard to beat a 7740, for example, performance-wise. If anything the Thinkpad P73 and Precision 7740 are similar spec-wise (7740 has marginally faster processor i9-9880HK vs. i9-9880H, and GPU, RTX 5000 vs. 4000), with the P73 coming in at 1lb heavier.

Though you'll pay through the nose for the 7740 with maxed out specs. Just for kicks I configured the following machine:

  CPU: i9-9880HK
  GPU: RTX 5000
  HD:  4 X 2TB SSD (RAID 0)
  RAM: 128GB
  SCREEN: UHD 3840 X 2160
A mere $21K USD :)

Linux is not a comparable desktop experience to macos.

I'm not a huge fan of Apple, but I love everything about my 2019 MBP minus the keyboard. After using Linux for close to a decade it's a fairly seamless transition compared to going back to Windows.

With Apple's direction towards their walled garden, glued components, questionable changes to their macbooks, and their recent keyboard troubles, I vowed to buy something else this time. But crap like this might chase me back into the arms of Apple.

You should look into how to recover data if the laptop doesn't boot.

Use your backups and then pull all your repos.

Other scenarios in which this helps is if your laptop is stolen or if the hard drive dies.

>Apple doesn't cheat me on my privacy when I buy a machine.

Except that siri thing

The installer itself lets you choose to enable or disable Siri. Like it's one of the first choices you make when you first set up the machine.

As someone else pointed out: That isn't the issue. It was because they lied about your privacy when you opted in. Some folks, would they have known what they know now, wouldn't have opted in.

Still important. Try to get rid of Cortana for instance. MS is forcing that crap down your throat.

At the moment, if you set Windows 10 to not send every keystroke to Bing when you're searching for a start menu shortcut, the search process locks up and consumes an entire CPU core. Microsoft isn't serious about the privacy options they pretend to offer.

Wait what? This cannot be serious.

Apparently Microsoft did get a fix out earlier this week; I'd been avoiding my Windows machines waiting for this.

The patch that introduced the bug: https://support.microsoft.com/en-us/help/4512941/windows-10-...

The patch that fixed the bug: https://support.microsoft.com/en-us/help/4515384/windows-10-...

Description and workaround: https://www.reddit.com/r/Windows10/comments/cxmot9/windows_1...

It's still clear that Microsoft's QA procedures focus too highly on testing the default configurations rather than the sane configurations.

Could you elaborate? “Hey Siri” is opt-in when you set up a Mac.

GP is referring to the fact that Apple contractors were manually reviewing Siri recordings, which frequently included private conversations in which Siri activated erroneously.

"Hey Siri" may be opt in, but you're encouraged to enable it when you set up a new device, and someone who turns it on isn't necessarily okay with their private conversations being reviewed. Buying a computer in the first place is technically "opt-in" too.

They keyboard, ok, and I'll give you the "pro" (though, if you're talking about their laptops and not their desktop pro model, they were totally pro). But this sounds like hardly a complain:

"New product lines were confusing. The existence of the MacBook alongside the MacBook Air defied logic"

One could always buy one or the other or neither...

I owned a MBP back around 2007.

I later purchased (in-person, in-store) an ipad pro using a credit card, maybe around 2015. The receipt they gave me had my email address printed on it. That really creeped me out.

What about Microsoft surface book? I have colleagues who are in science/coding/tech and they really like them.

You mean the one with the screen so fragile you can break it just by closing the laptop normally, replacement of which MS won't cover under warranty because they insist it's not a defect?

uh I guess? didn't know about that, haven't heard that before

>> Apple doesn't cheat me on my privacy when I buy a machine.

Have you ever monitored all the telemetry Mac OS sends back to apple related domains?

If you didn't opt-in to data collection during setup, the only telemetry that goes out is crash reports (also an opt-in for every crash). Crash reports have nothing more than the stack trace and some information on the environment/OS parameters on the system. Nothing that's PII.

Crash reports can and do often contain identifible data.

Then buy a Linux laptop. Problem(s) solved.

I can't understand some of you guys. You pay 2k for a laptop which has a shitty keyboard and then you look for excuses to justify your decision. Sure, a lot of what you mention about Windows machines is true. But they're also preventable with work arounds. What kind of a work-around is there for the problem with MacPros keyboards?

I have a Toshiba laptop (Tecra Z40). Aside from the crap they install to make their tailor-made hardware to work everything else is stellar. The machine works for the last two years problem free, and it will probably keep working for another five. Don't make it sound like every non Apple laptop is crap because it isn't.

I feel this comment is unnecessarily combative.

Setting aside security. I have owned laptops from every major brand. IBM ThinkPads, Toshibas, Lenevos, Dells, Macs and ASUS. So far, other than ASUS, I've run into more hardware issues with these laptops with fewer repair options available. They've also had bad battery lives compared to the Macs at the time.

I've bought laptops and flashed Linux on them. I've used Ubuntu since Hardy Heron. But none of the laptops worked as seamlessly and as well as my Macs. The touchpad wouldn't work. The WiFi would fail. Sometimes updates broke the machine if they worked at all. Printers weren't plug and play. A few times the system crashed because of a configuration error that was unintentional. All in all, it was a poor experience.

The difference in the experience is summed up by what happens when you open the box. A new Linux laptop would require an install, then hunting down the files, copying it over, doing updates, changing settings, changing the configuration etc etc. A new Mac is simple. I bring it home. Turn it on. It goes on my WiFi, finds my Time Machine and does the rest. I have perfect continuity from my old machine to the new. I have settings and programs here from 3 machines ago.

I like to use my computer to work rather than working on the computer.

Moreover, from a security perspective, I trust a company like Toshiba less. Mostly because the Toshiba comes with a ton of bloatware installed; https://www.google.com/search?newwindow=1&hl=en&ei=hsR8XZmLF... and you never know what they might install. As of writing, my Mac just doesn't.

>A new Linux laptop would require an install, then...

No, that's a new Windows laptop that you're wiping and installing Linux on. You can buy laptops nowadays with Linux already installed and completely set up.



>I like to use my computer to work rather than working on the computer.

This is why I’m willing to pay whatever Apple asks. As far as I can tell, they have done the most to earn my trust that they might not try to shove malware or ads on me. They have had a few missteps in the past, but all the other companies are so much worse.

Plus their customer service has been leagues better than everyone else...which isn’t hard since no one else has any stores I can go and get my problem fixed at.

When the touchpad on my daughter's a Yoga stopped working, I had a technician exchange it within a day at our home. I got the same 2-year service level for my Lenovo X390 for 50$ extra and it's worldwide. I think a Mac you have to bring to the Apple Store and leave it there.

Yeah, Apple's service is abysmal. The University Village Apple Store in Seattle wanted to hold onto my macbook air for a week to replace the battery because they didn't have one in stock. Why didn't they have one in stock? I had an appointment scheduled for them to replace the battery, so why wasn't the battery pre-ordered to be there on that date?

Their customer service is infamous for being an extreme ripoff, always pushing towards "buy a new device".

Most recently there was a cool video where a journalist went to the "genius bar", was told that repairing his MacBook's broken backlight would cost more than a new one ("we have to fix water damage" lol), then went to Rossman and got it fixed for free in a minute.

I think you've hit the nail on the head. If a user isn't an idiot blindly following fashion (we know there are plenty who use Apple for "the looks" only). If they are a user who really loves Apple, it's really about the ease and smoothness of the services/ecosystem. The hardware can be crap priced twice as high as it should be at times, but the services are smooth and those who like them love them. I'm not a fan, but this is what I observe in the long-time Apple fans I know.

I feel this comment is unnecessarily combative.

If you took offense, I apologize. I didn't mean to insult you.

Hakuna matata

Agreed. My past several computers have been used from Craig's List, $500 for roughly $2,000 machines. Installing Mint has been flawless. Everything just works (Lenovo Carbon X1).

> Then buy a Linux laptop. Problem(s) solved.

I use Linux on the notebooks since around 2003. The problems are far from being solved, from my experience:

- There was constantly some piece of hardware that wasn't supported.

- There were constantly pieces of operating system and user space that were simply broken until a lot of manual work is applied.

- The brokenness increases with every update. At the start I didn't use LTS (I don't even remember if the LTS versions even existed for the distro I've used) -- it was a major pain. Six months go by, new upgrade, everything's broken. Search the internet, ask: "oh you upgrade an existing installation? It's not tested, you should installed blank and copied your data, we do that" -- oh thanks.

- The brokenness of power saving is amazingly persistent. Linux notebooks typically worked acceptable only when plugged in.

- Even worse, the brokenness of the possibility of playing the stutter free videos: https://xkcd.com/619/ I have still that problem (it was not only "flash" that was and is the problem!) and discovered that the "lighter" compositors that are advertised as supposedly needing less resources made even worse results. I still have computers that in 2019 with the latest Linuxes can't play videos normally, whereas on the same computer videos in Windows play perfectly.

In short, if you need a computer only for a very reduced set of tasks and are ready to spend the time "fixing" the remaining issues, Linux can work for you. But don't expect "problems solved."

On another side using Windows brings its own crazy pains: if you keep even the Windows provided "antivirus" solution on, even file copying can be orders of magnitude slower than what the machine would be able to do.

Plus the crapware. And the exposure to many more viruses trojans etc. Or even the ads built in in the OS.

So what's then left? Apple. Also not perfect, of course, but some problems are actually "solved" from the start. But using Apple computers brings its own issues and, of course, prices.

It's just the question which kinds of problems you want to be exposed to.

I personally can't stand not being able to reasonably easy replace a hard disk in my notebook. I don't even know what I can buy the next time.

This. When I buy a laptop I want to pay a big pile of money to ensure real people have tested my exact hardware with the OS and drivers I intend to use. It’s the most important feature of a laptop so I don’t mind that being a significant chunk of the price for only that.

When I buy a dell or Lenovo I expect crapware but I expect to be able to remove it by installing a clean OS on it.

> real people have tested my exact hardware with the OS and drivers I intend to use

> When I buy a dell or Lenovo

It's still nothing guaranteed with Linux distros, it's just that "mostly works" (for various definitions of "works") state is maintained: recently there was a quite big kernel bug delivered as a trivial update, which affected LTS version of Ubuntu, including Dells and many other brands, as soon as there was a second monitor attached to the machine. The recent Dell docks more didn't than did work for a while, it took many firmware updates to make them "mostly" working. But it still doesn't behave how it should. Etc.

Yes, I don't use desktop linux. When I spoke about dell/lenovo I only have experience with Windows. If I ever did buy a deskop linux machine I'd buy one of the preinstalled ones to ensure I wouldn't have to fight the tiny issues with multi-screen DPI, various sleep states etc. Those things are hard enough for manufacturers to get right in windows and Mac OS it seems.

> When I spoke about dell/lenovo I only have experience with Windows.

As far as I see, even with Dell, the modern hardware is too commonly untested and poorly developed or integrated with the OS, even with Windows: in my company I don't know anybody who uses built-in trackpads, as it's a common knowledge that they "don't work" but everybody carries the mouse around. I've tried to use the trackpad only to see it broken between different Windows versions (so very like Linux). The same story with the docks -- they seem to worked badly even on Windows.

The Dell puts their brand on the final product, but they just integrate whatever they can get at the moment. And even if you integrate Intel devices, they can remain in the software support limbo (happened to me with the Intel WiFi cards which remained unsupported and not working on Windows 10, even if Microsoft forced the upgrade as "everything works").

It's a sad state of the hardware - software integration. And knowing the Apple's problem with the keyboards, it seems that the only portable devices currently fully working "as they should" are the phones and tablets.

That's amazing. We used Dell Lattitides for years at my work with docks, with no problems. Now we have a bunch of Dell XPS 15 machines, with the new USB-C docks, and very few problems. No trackpad problems on Windows 10 at all. The only problems we have are related to software vendors who haven't updated their crap to scale properly on a high resolution monitor. A couple of times, a bad driver update, easily fixed by rolling it back.

> with the new USB-C docks, and very few problems.

I can also claim that I have "very few" problem with the thes docks, as long as I don't use them. After the initial (repeated) problem I've just learned not to hot plug anything in their USB ports, but only directly in the notebook (somehow hot plugging in the dock always results in the confusion of some level of OS -- no idea why). Then, they do work as the power supply and the monitor drivr... until you have to turn the computer off an on again. Then they still behave quite randomly. Sometimes they don't show the picture. Sometimes they block somewhere. Some strange "resets" happen even as the OS is fully booted and waits for my input. Note I keep the firmware updates to the latest version.

So yes, the users learned to say "it works" if they find any workaround that lets them do something without interruption, and then, "oh I never turn my computer off anyway" or "oh I never use the trackpad anyway, I use the mouse" etc. E.g. one of my colleagues typically keeps his setup turned on and plugged in without plugging in anything for at least a month, so he simply sees the problems less often. But when I do observe what happens when he plugs something or turns the computer on, the same story.

Yep, even with Dell you need to pick one of the good ones. That's perhaps one in 5 machines, even in the good ranges like the precisions/xps (mostly the same for a lot of models).

This wasn't the case with macbooks until recently, but now it is

I think it depends on how long you keep the laptop. If you get a new one every year then it's pretty insane to deal with new driver and software issues each time.

But if you keep the laptop for many years it might be the opposite. If you can work out the software issues given some time investment, and then have a computer you like using, it could be worth it. If the option that "just works" has a keyboard you hate, and you will be stuck with it for years, that seems a lot worse than one weekend wasted on driver issues or whatever.

I've used Linux off and on about as long as you and permanently since 2008 or so, I've never really had all these hardware problems I keep reading about over the years. I've had WiFi cards not work with certain distros, which changing to a different one has always fixed. I had issues with multiple displays years ago but that was with an actual CRT monitor hooked up to my laptop. I've had some minor issues getting obscure old gamepads to work on modern distros more recently but other than that everything's always worked pretty well whatever machines I've installed it on. Hell even my old TV tuner card that I could barely manage to make work with the software that came with it originally on xp on my old ass desktop from 1999, works well on Linux without hassle(not that I've used that thing for years now).

I agree back in the day, many features were lacking when it came to the desktop, but that hasn't been the case for years. Using the windows 7 computers at my work or the few times I've tried windows 10 feels like a massive step backwards from what I'm used to on my Linux computers. Everything always just works. Whatever hardware I plug in, even stuff I could never get working in windows, like my rp350 guitar pedal or my midi controller, just work. Music and audio recording on linux is just awesome, I could go on all day about how amazing Jack2 is compared to anything I ever used on windows.

I've only used Macs post os9 a few times, but I've never really liked them. They always felt limited and closed down. But, I don't know a lot about it so I can't say too much there.

External keyboards? LOL!

For what it's worth, the professional equipment marketed under the "Think" brand was not affected by this. It was only ever a problem for their consumer line of devices.


In general the Intel platform is quite the horror show of complex, deeply embedded layers of closed source software outside of the control of the user or the operating system. All the while these components have full control over the machine and all software running on it.

Intel ME, AMD PSP, the UEFI BIOS were just some sources of vulnerabilities coming with the hardware. So just buying another brand of laptop, PC or server won't do. There would need to be a fundamental shift towards handing back the user or owner full control over what is executed on his machine.

For what it's worth, the professional equipment marketed under the "Think" brand was not affected by this

That doesn't make it OK.

It should go without saying that it isn't okay. But thank you for helping the people with broken moral compasses.

Certainly not ok, but very helpfuj.

I sure as shit will never, ever buy anything Lenovo. Pro or otherwise.

I still wont buy them as the entire brand is tainted by this customer hostile crap.

Here's a writeup on what I've been able to piece together (thus far) on this:


Note that it this rootkit/malware seems to be somewhat independent of manufacturer, that is, it's not just Lenovo but several other prominent laptop manufacturers where the same phenomena occurs...

To be fair this crapware affected Windows users only, and was removed swiftly in a quickly issued BIOS update after this caused a PR nightmare... back in 2015.

So why are we discussing this now, almost half a decade later? Why is this suddenly relevant again?

Because there are a lot of people who really like Macs and there are a lot of people who really like things that aren't Macs and these people do seem to enjoy engaging with/against each other.

My brand new Lenovo has no crapware at all. It had McAffee (now owned by intel) but that was easy to remove.

Compared to Samsung who put a non removable Facebook app on their A50 phone I am happy with my Lenovo. The Samsung -home went back not only because of the Facebook app but also because the fingerprint reader did. To work better than 10% of the time and the digitizer was horrible.

> My brand new Lenovo has no crapware at all. It had McAffee

McAfee is crapware.

> Compared to Samsung who put a non removable Facebook app

adb shell pm uninstall -k --user 0 com.X

It had no crap at all, except for this crap.

McAfee was actually spun back out of Intel in 2017.

So, how can I disable the Windows functionality that makes this type of thing possible? Surely there's a way?

No. Windows does not control the BIOS. The BIOS activates when the machine is powered on, before the operating system becomes active. This is at the hardware maker level, and outside the control of Windows.

The article mentions how Windows reads an ACPI table, looks for a specific executable file, and willingly runs it. It's not the BIOS forcing anything to happen, Windows goes out of its way to look for an .exe that is bundled in the BIOS and then happily runs it.

The issue is with Microsoft forcing this ridiculous behavior.

not sure why anyone in the know would ever buy lenovo..

Also cannot believe IBM compromised themselves being involved with Lenovo with their pc's and legacy servers like systemx


Doesn't affect me because I have not run Windows for 10 years. I install Windows on every PC. I would prefer to run ARM more wideley, but unfortunately the hardware choice is limited.

That said I am not overly confident that with Linux I am totally immune against executing code I never intended to. The kernel needs to cooperate with the BIOS. I would not been surprised if the BIOS can make it execute arbitrary code provided by the vendor. It just needs to be a bit more tricky than telling the operating system look here is a binary in RAM, please save it on root file system as /bin/init

You don't even need that. The BIOS can just install vulnerable SMM handlers and then you're screwed.

I don't get why you say it doesn't affect you - bloated and crappy firmware affects everyone, regardless of OS.

The described mechanism does not affect me, because Linux kernel or any distro does not take a binary from RAM and installs it into the rootfs.

I don't claim that Linux could not be made to execute arbitray code injected by the BIOS. So far I am somewhat optimistic that no HW vendor does it, it's a bit more tricky because different from Windows Linux does not offer a specified API to do such installation. With enough dedication and effort the BIOS could install programs to be run every boot also in Linux. I have no illusions that Linux prevents that (unless you use image signing, dm_verity and whatnot), I am just somewhat optimistic PC vendors don't bother to make the effort required.

but they could put a custom linux kernel into the firmware that boots before your installed one, which can access the disk and write to it.

in fact weren't there mainboards with linux in the firmware already? they weren't doing nefarious things, but they could have.

>install vulnerable SMM handlers

How can an SMM handler be vulnerable? The biggest problem with SMM is that they run in ring -2. Nothing on the machine can see what they are doing. Well, they are using memory, if you can manipulate the memory they are using you can manipulate what the handler does, even if you cannot see it executing. But wasn't that the hole closed in 2011? https://www.theregister.co.uk/2015/08/11/memory_hole_roots_i...

This is fascinating to discuss or very worrying to use. That's why I wrote I'd prefer ARM over Intel any time. It just does not have such a horrible mess of BIOS, SMM, ME and whatnot taking control away from the programmer/machine owner.

But setting a simple Windows API like WPBT described in the article in relation to SMM is comparing apples and oranges. Linux has nothing comparable to WPBT, but of course it cannot be more trustworthy than the Intel/PC platform to begin with. For a dedicated 3 letter agency that's probably equivalent to not at all, but for the average PC vendor trying to force their idea of "user support" on you it's a sufficient hurdle, I'd hope.

> The BIOS can just install vulnerable SMM handlers and then you're screwed.

Writing SMM handlers is not an easy job. Using the API provided by Windows to make installations as described by the article is an easy job. The installed program is just plain simple user space code that can use all services of the operating system. No special skills required to make it phone home.

Are there any reports of an SMM handler able to phone home? (Honestly curious)

If it's in the BIOS, it doesn't matter what OS you use. The BIOS powers up first and is active before the operating system ever is.

Except only Windows cares to actively look for the Windows program offered by the BIOS and run it.

stupid mistake, sorry

> I install Windows on every PC

Linux of course

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact