Lenovo - if it's on your network, you ARE breached.



  • Excuse me a minute while I have a @JaredBusch and @scottalanmiller combination moment here.

    FFS people, I'd testify to this in court!

    1. Superfish was not only in the factory image, it's also contained in the hardware drivers. No amount of anything will protect you from the drivers! Trying to use a generic driver disables the hardware. Known issue with wifi chips from Lenovo.

    2. BIOS access. Yes, every server has a way to do remote management of said server. Nobody, other than Lenovo, has BIOS level access via a hard coded url and single password for every single box. Yes, they fixed it by changing the password.

    On top of those ongoing issues are the lies and half-truths they're always pushing. Like the "No business class machines have Superphish" when they had just reclassified all the lines of business machines that had it to consumer 5 days before.

    Using Lenovo is itself a data breach. They haven't properly fixed any of this yet!

    I also wanted a single place to go in order to get this information collated and more publicized. Let me know everything I've forgotten or messed up!



  • I have always been skeptical of them even before superfish. Something just didnt add up with them.



  • I just warned 3 people off Lenovo yesterday.



  • The OP should be updated with links to credible news stories talking about the listed issues.
    Not because the OP is wrong, but because to most, this is just a random tech website, where there is no proof that there is no ax to grind, etc. So linking to credible news sources (several would be better) helps ensure the reader of the validity of the claims here.



  • Confirmed OP is a Dell fanboi :P



  • I have not had Lenovo in my systems ever!!



  • Sigh. This is something I bring up anytime someone says 'Lenovo'. We buy nothing but Lenovo and I'm very close to having a seizure at work.



  • The saying, you get what you pay for.
    Network full of viruses!



  • @dashrender said in Lenovo - if it's on your network, you ARE breached.:

    The OP should be updated with links to credible news stories talking about the listed issues.
    Not because the OP is wrong, but because to most, this is just a random tech website, where there is no proof that there is no ax to grind, etc. So linking to credible news sources (several would be better) helps ensure the reader of the validity of the claims here.

    Yup



  • @dashrender said in Lenovo - if it's on your network, you ARE breached.:

    The OP should be updated with links to credible news stories talking about the listed issues.
    Not because the OP is wrong, but because to most, this is just a random tech website, where there is no proof that there is no ax to grind, etc. So linking to credible news sources (several would be better) helps ensure the reader of the validity of the claims here.

    I'd love to, but most of the claims I've made have originated right here, and been later confirmed by myself testing on an X220 which has since been given the Office Space treatment. I'd love some external confirmation!



  • @eddiejennings said in Lenovo - if it's on your network, you ARE breached.:

    Confirmed OP is a Dell fanboi :P

    HP, Dell, SuperMicro, Huaway, just about anything other than Lenovo, yes.



  • @dashrender said in Lenovo - if it's on your network, you ARE breached.:

    The OP should be updated with links to credible news stories talking about the listed issues.
    Not because the OP is wrong, but because to most, this is just a random tech website, where there is no proof that there is no ax to grind, etc. So linking to credible news sources (several would be better) helps ensure the reader of the validity of the claims here.

    I'll also note that this all came to light while a used X220 was being shipped to me, so yes, I have an axe to grind, but I've also personally seen this stuff happen.


  • Service Provider

    @wirestyle22 said in Lenovo - if it's on your network, you ARE breached.:

    Sigh. This is something I bring up anytime someone says 'Lenovo'. We buy nothing but Lenovo and I'm very close to having a seizure at work.

    You are at a job where people should be in jail for that.





  • @scottalanmiller said in Lenovo - if it's on your network, you ARE breached.:

    @wirestyle22 said in Lenovo - if it's on your network, you ARE breached.:

    Sigh. This is something I bring up anytime someone says 'Lenovo'. We buy nothing but Lenovo and I'm very close to having a seizure at work.

    You are at a job where people should be in jail for that.

    Hopefully not for long



  • This is an issue when using Windows only?



  • @black3dynamite said in Lenovo - if it's on your network, you ARE breached.:

    This is an issue when using Windows only?

    No, everything.

    Superfish is included with the wifi drivers to a point that the wireless chips will not work without it. As for the BIOS level access, well, that's as bad as it gets.



  • @travisdh1 said in Lenovo - if it's on your network, you ARE breached.:

    @black3dynamite said in Lenovo - if it's on your network, you ARE breached.:

    This is an issue when using Windows only?

    No, everything.

    Superfish is included with the wifi drivers to a point that the wireless chips will not work without it. As for the BIOS level access, well, that's as bad as it gets.

    I don't know what Wi-Fi chipset you have; however, we have the direct from Intel drivers so if SuperFish is included here I don't think that is a Lenovo issue.



  • @travisdh1 said in Lenovo - if it's on your network, you ARE breached.:

    @eddiejennings said in Lenovo - if it's on your network, you ARE breached.:

    Confirmed OP is a Dell fanboi :P

    HP, Dell, SuperMicro, Huaway, just about anything other than Lenovo, yes.

    Ha!



  • @donaldlandru said in Lenovo - if it's on your network, you ARE breached.:

    @travisdh1 said in Lenovo - if it's on your network, you ARE breached.:

    @black3dynamite said in Lenovo - if it's on your network, you ARE breached.:

    This is an issue when using Windows only?

    No, everything.

    Superfish is included with the wifi drivers to a point that the wireless chips will not work without it. As for the BIOS level access, well, that's as bad as it gets.

    I don't know what Wi-Fi chipset you have; however, we have the direct from Intel drivers so if SuperFish is included here I don't think that is a Lenovo issue.

    That's great, you're entire network has already been pwnd tho, thanks to that absolutely assinine BIOS code.


  • Service Provider

    @donaldlandru said in Lenovo - if it's on your network, you ARE breached.:

    @travisdh1 said in Lenovo - if it's on your network, you ARE breached.:

    @black3dynamite said in Lenovo - if it's on your network, you ARE breached.:

    This is an issue when using Windows only?

    No, everything.

    Superfish is included with the wifi drivers to a point that the wireless chips will not work without it. As for the BIOS level access, well, that's as bad as it gets.

    I don't know what Wi-Fi chipset you have; however, we have the direct from Intel drivers so if SuperFish is included here I don't think that is a Lenovo issue.

    Lenovo had some of them set so that the UEFI would load malicious code regardless of where you got the drivers.


  • Service Provider

    @black3dynamite said in Lenovo - if it's on your network, you ARE breached.:

    This is an issue when using Windows only?

    Depends on the model. Some issues are Windows only. Some are not. Of course, this is only issues that have been caught. Since no one knows if all issues have been caught, you'll never know.


  • Service Provider

    With Lenovo, it's like letting a highly skilled thief into your house. You know they are trying to steal from you. And you just hope that you have figured out all of their tricks. But that's naive. It's just inviting risk. It's like counting all the jewels as you let a thief wander around your house rather than just locking the front door in the first place.



  • @travisdh1 said in Lenovo - if it's on your network, you ARE breached.:

    @donaldlandru said in Lenovo - if it's on your network, you ARE breached.:

    @travisdh1 said in Lenovo - if it's on your network, you ARE breached.:

    @black3dynamite said in Lenovo - if it's on your network, you ARE breached.:

    This is an issue when using Windows only?

    No, everything.

    Superfish is included with the wifi drivers to a point that the wireless chips will not work without it. As for the BIOS level access, well, that's as bad as it gets.

    I don't know what Wi-Fi chipset you have; however, we have the direct from Intel drivers so if SuperFish is included here I don't think that is a Lenovo issue.

    That's great, you're entire network has already been pwnd tho, thanks to that absolutely assinine BIOS code.

    And do you have links to back up these claims? Quite a few Google searches later and at the BIOS level I have not found a vulnerability that was also not found in other manufacturers BIOS as well by other IBV's. This suggests that the issue may be further up the chain. Nasty Lenovo UEFI exploit also affects products from other vendors

    While it does not excuse the behavior, the worst thing I have seen in this Lenovo issue, is not what they have done, yet simply the fact they were not up front about it.

    Why so I not see any posts saying to banish Siri enabled devices from the network? IBM thought Apple storing transcripts and recordings of interactions was a threat.
    How about Barracuda? Between large subnets of allowed addresses on their support ports and hard coded common passwords, I don't see any if you have Barracuda, Russia owns your network posts.

    Samsung TV's, Amazon Echo's, Google Homes, and other platforms do nothing but use methods to scan your network and force control over your devices and collect data, yet no screams for bans on those.

    While a poor example, Windows 10 does almost everything Lenovo is getting cheap for natively. (E.g. Telemetry, you can't turn it 100% off. If you remove an update it automatically puts itself back on. Hell even today I had a machine with expired WebRoot, my only options were to renew webroot or install Windows Defender before continuing) the last one may actually be webroot doing the nagging I have not confirmed that.

    Now let be clear, I am not going out and saying Lenovo's are 100% safe, in fact my research today on this topic shows it is not. However, that same research shows no manufacturer is safe. Check out this article on eDellRoot Dell computers with the eDellRoot root certificate may allow attackers to sign SSL/TLS certificates as legitimate sources and can be vulnerable to man-in-the-middle attacks. Even without the article pointing out several times this being reminiscent of Superfish it sounds pretty close to me.

    I would support the title of this post being Some Lenovo consumer models computers are susceptible to really shady things because manufactures want to make money, but the title as is, in my opinion, does not accurately represent the situation.

    Edit: added source for BIOS claim. Updated closing thoughts based on additional research.

    During my search, I think the comment found below sums up the whole thing.
    NOT intending to excuse Lenovo, but I work in the business, and ALL major companies (HP, Microsoft, Apple, Google, AT&T, Verizon, Comcast, etc...) Hate Us, and would happily sell razor blades to babies if they could figure out how to weather the lawsuits & still turn a profit...


  • Service Provider

    @donaldlandru said in Lenovo - if it's on your network, you ARE breached.:

    @travisdh1 said in Lenovo - if it's on your network, you ARE breached.:

    @donaldlandru said in Lenovo - if it's on your network, you ARE breached.:

    @travisdh1 said in Lenovo - if it's on your network, you ARE breached.:

    @black3dynamite said in Lenovo - if it's on your network, you ARE breached.:

    This is an issue when using Windows only?

    No, everything.

    Superfish is included with the wifi drivers to a point that the wireless chips will not work without it. As for the BIOS level access, well, that's as bad as it gets.

    I don't know what Wi-Fi chipset you have; however, we have the direct from Intel drivers so if SuperFish is included here I don't think that is a Lenovo issue.

    That's great, you're entire network has already been pwnd tho, thanks to that absolutely assinine BIOS code.

    And do you have links to back up these claims? Quite a few Google searches later and at the BIOS level I have not found a vulnerability that was also not found in other manufacturers BIOS as well by other IBV's. This suggests that the issue may be further up the chain. Nasty Lenovo UEFI exploit also affects products from other vendors

    While it does not excuse the behavior, the worst thing I have seen in this Lenovo issue, is not what they have done, yet simply the fact they were not up front about it.

    Why so I not see any posts saying to banish Siri enabled devices from the network? IBM thought Apple storing transcripts and recordings of interactions was a threat.
    How about Barracuda? Between large subnets of allowed addresses on their support ports and hard coded common passwords, I don't see any if you have Barracuda, Russia owns your network posts.

    Samsung TV's, Amazon Echo's, Google Homes, and other platforms do nothing but use methods to scan your network and force control over your devices and collect data, yet no screams for bans on those.

    While a poor example, Windows 10 does almost everything Lenovo is getting cheap for natively. (E.g. Telemetry, you can't turn it 100% off. If you remove an update it automatically puts itself back on. Hell even today I had a machine with expired WebRoot, my only options were to renew webroot or install Windows Defender before continuing) the last one may actually be webroot doing the nagging I have not confirmed that.

    Now let be clear, I am not going out and saying Lenovo's are 100% safe, in fact my research today on this topic shows it is not. However, that same research shows no manufacturer is safe. Check out this article on eDellRoot Dell computers with the eDellRoot root certificate may allow attackers to sign SSL/TLS certificates as legitimate sources and can be vulnerable to man-in-the-middle attacks. Even without the article pointing out several times this being reminiscent of Superfish it sounds pretty close to me.

    I would support the title of this post being Some Lenovo consumer models computers are susceptible to really shady things because manufactures want to make money, but the title as is, in my opinion, does not accurately represent the situation.

    Edit: added source for BIOS claim. Updated closing thoughts based on additional research.

    During my search, I think the comment found below sums up the whole thing.
    NOT intending to excuse Lenovo, but I work in the business, and ALL major companies (HP, Microsoft, Apple, Google, AT&T, Verizon, Comcast, etc...) Hate Us, and would happily sell razor blades to babies if they could figure out how to weather the lawsuits & still turn a profit...

    Actually yes. We should be years past anyone asking for proof yet again. This is a dead horse. Lenovo was all over the news time and time again. This isn't anything that came from ML. This is "if people don't know by now they are ignoring it" territory. It's been all over every major IT news outlet for years.


  • Service Provider

    I'm a bit shocked that anyone is questioning that there might be some grey area in which Lenovo might be in any way acceptable to use. There is no vendor, ever, to have worked this way. Lenovo is completely unprecedented in the depth, breadth, audacity or repetition of their attacks.


  • Service Provider

    @donaldlandru said in Lenovo - if it's on your network, you ARE breached.:

    @travisdh1 said in Lenovo - if it's on your network, you ARE breached.:

    @black3dynamite said in Lenovo - if it's on your network, you ARE breached.:

    This is an issue when using Windows only?

    No, everything.

    Superfish is included with the wifi drivers to a point that the wireless chips will not work without it. As for the BIOS level access, well, that's as bad as it gets.

    I don't know what Wi-Fi chipset you have; however, we have the direct from Intel drivers so if SuperFish is included here I don't think that is a Lenovo issue.

    Part of the issue was that with some of the Lenovos was that they used special chipsets that had only one source and no matter how you acquired it, Superfish was included. NOW, only after being caught and legal issues pressed, drivers are available from other sources. You are looking at this AFTER they were busted, not before. Originally, all available drivers for some Lenovo models had Superfish in them. Your only options were to have Superfish or to use a different OS. In that one particular case, Linux provided a fix to the issue.

    After course, now long after being caught, they had to release drivers that don't have any known hijacks in them. That you have drivers today without superfish isn't indicative of anything.


  • Service Provider

    @donaldlandru said in Lenovo - if it's on your network, you ARE breached.:

    I would support the title of this post being Some Lenovo consumer models computers are susceptible to really shady things because manufactures want to make money, but the title as is, in my opinion, does not accurately represent the situation.

    Except it was commercial models, as is well known, that were affected. This "we rebranded things that were breached as consumer after the fact" BS is seriously bad and itself is a security concern. No IT person should ever repeat this. It's completely false and totally misleading and is a result of Lenovo socially engineering their customers. As we say in IT, the biggest risk is people not technology and that you are repeating this incorrect information tells us that you have been compromised by Lenovo. You actually just proved our point, Lenovo has manipulated you into repeating a security falsehood to promote their attacks. This shows the extent to their devious nature.

    Travis even mentioned this in the OP. There is zero question here, commercial models are where this was discovered. It's actually all commercial, NOT consumer, that we are aware of as issues.

    It was actually because it was commercial units that made finding Superfish so easy because it was equipment specifically for IT pros with Windows 10 Pro on it that made Superfish easy to spot because SF breaks sites like MangoLassi and also breaks ActiveDirectory. Both of those things were reported on ML while troubleshooting the first Superfish discovery and led to figuring out that the network was being shimmed.


  • Service Provider

    @donaldlandru said in Lenovo - if it's on your network, you ARE breached.:

    NOT intending to excuse Lenovo, but I work in the business, and ALL major companies (HP, Microsoft, Apple, Google, AT&T, Verizon, Comcast, etc...) Hate Us, and would happily sell razor blades to babies if they could figure out how to weather the lawsuits & still turn a profit...

    But that is what you are doing. Not a one of those examples is even remotely like Lenovo. Not a one has come close as to how bad it was, not one has come close to doing it repeatedly. That you'd mention any of those as some sort of comparison means either that you are trying to make Lenovo sound better than it is or you don't understand what Lenovo has done that we are discussing. There are no known issues in IT history that are comparable to Lenovo. Not a one. And Lenovo has done it more than once.

    If you want to have an honest discussion about Lenovo, you can't mention stuff like this nor repeat Lenovo's own false social engineering security attacks to make them sound reasonable or plausible. If for no other reason, someone reading this thread might actually think that what Lenovo has done might not be absolutely true (it is, it's all over the news, it's beyond reasonable question, it's happened to people you know, it was discovered on a machine you've seen first hand by people you know personally, it actively disabled the very site we are writing on to discuss it) or that the degree to which this was unthinkably bad isn't what it is.


  • Service Provider

    The Pentagon seems to agree that Lenovo is a specific threat that other vendors are not. They don't see other vendors in the same light:

    https://mangolassi.it/topic/11320/pentagon-warns-against-using-lenovo-equipment


Log in to reply
 

Looks like your connection to MangoLassi was lost, please wait while we try to reconnect.