Lenovo - if it's on your network, you ARE breached.
-
The Pentagon seems to agree that Lenovo is a specific threat that other vendors are not. They don't see other vendors in the same light:
https://mangolassi.it/topic/11320/pentagon-warns-against-using-lenovo-equipment
-
Don't forget this one reported by Webroot...
https://mangolassi.it/topic/7748/lenovo-screws-the-pooch-yet-again-on-the-security-front
-
And the big one, other than Superfish, Lenovo adding rootkits to the hardware in order to deploy malware onto their boxes against the wishes or knowledge of users:
-
All of those original threads have links to original sources, ML is not the source of anything originally except, of course, for Superfish which was discovered here first.
-
@scottalanmiller I will review your links; however, I think the overall point was missed here.
My point is not Lenovo is safe, my point is there are other companies doing the same or similar shady practices and yet they are being marked as safe. Much like officiating, I don't care if someone always is right or wrong, just be consistent.
Dell has (had) Superfish as well, links in my original post, yet that is ok to you because they are not Lenovo
HP has the same SMM BIOS remote execution code that is being discussed as Lenovo owning your network. Yet, this thread says HP is safe. Again, on the only argument is that it is nor Lenovo.
-
@scottalanmiller said in Lenovo - if it's on your network, you ARE breached.:
And the big one, other than Superfish, Lenovo adding rootkits to the hardware in order to deploy malware onto their boxes against the wishes or knowledge of users:
I'm pretty sure this particular one is an over statement by Scott. As far as I know no malware was discovered in this (I'll agree with this term) hardware rootkit. Could it be used this way, absolutely, but I'm currently unaware or not remembering actual malware deployed through this.
Junkware on the other hand - sure. Lenovo's own crapware to help them deploy their own drivers, etc. This was after the SF issue, so again, it's not known if actual malware was distributed this way. -
@donaldlandru said in Lenovo - if it's on your network, you ARE breached.:
@scottalanmiller I will review your links; however, I think the overall point was missed here.
My point is not Lenovo is safe, my point is there are other companies doing the same or similar shady practices and yet they are being marked as safe. Much like officiating, I don't care if someone always is right or wrong, just be consistent.
Dell has (had) Superfish as well, links in my original post, yet that is ok to you because they are not Lenovo
Your article doesn't really have enough information. It doesn't say if it was ever discovered why these certs where included. In the case of Lenovo, we know that Lenovo included 3rd party software that included SuperFish - which is bad enough, but even worse, Lenovo keyed their hardware preventing the use of non SuperFish infected Network Drivers. The Dell article indicates that dell simply included a cert - but again not why. The why is very important.
Furthermore Lenovo released press releases that said that there was nothing wrong with their laptops and that they didn't include such malware, which is clearly false. This was then finally later followed up by new drivers devoid of the SF malware.
HP has the same SMM BIOS remote execution code that is being discussed as Lenovo owning your network. Yet, this thread says HP is safe. Again, on the only argument is that it is nor Lenovo.
The SMM BIOS issue is less an issue for me personally. From my view, the vendors are using these features to assist users getting their systems back to a stable condition. I already responded above saying that Scott is making an overstatement about the use of SMM BIOS codes.
of course, this said - manufactures SHOULD provide a way to disable this in the BIOS/UEFI. -
@donaldlandru said in Lenovo - if it's on your network, you ARE breached.:
@scottalanmiller I will review your links; however, I think the overall point was missed here.
My point is not Lenovo is safe, my point is there are other companies doing the same or similar shady practices and yet they are being marked as safe. Much like officiating, I don't care if someone always is right or wrong, just be consistent.
Lenovo forcing the use of their own SuperFish'ed driver via hardware locks is what makes Lenovo so untrustable. This is unforgivable to me. They were very well aware that they were installing a network shim on these computers. If you agree they were unaware of the harm available via this shim, then you must also agree that they are incapable of making good hardware (secure) because they lack fundamental understandings of that hardware platform and should be out of business. If they did understand the harm available due to this shim, then they are complicate in the act, and should also be out of business.
-
@dashrender said in Lenovo - if it's on your network, you ARE breached.:
Your article doesn't really have enough information. It doesn't say if it was ever discovered why these certs where included
I was trying to avoid manufacturer links however here is Dell's statement
Doesn't excuse the blatant security risk they created by doing it
-
Ok fine, I would excuse that they made a mistake including the private key, but mistakes happen, we are human after all, even Scott have made one or two in his life.
And that release is basically Dell taking the hit, though admittedly they didn't call themselves out in that post.
I most of us can allow mistakes, but Lenovo didn't make a mistake. It wasn't an accident that the hardware was key locked to a code from Lenovo for drivers, it wasn't as mistake that the drivers had SF embedded in the drivers. It wasn't a mistake that they denied these things when they first came to light.
Lenovo was clearly gambling that we would never find out. This Dell thing was an accident/ mistake.
The SMM thing is actually part of the system being used as designed. Computrace has been using it for over a decade to reinstall tracking software on stole devices, the main reason someone brought it up now was two fold: first because Lenovo was in the news for being shady recently, and also because it was doing something that wasn't purchased specifically by the user, unlike computrace. -
@dashrender said in Lenovo - if it's on your network, you ARE breached.:
Ok fine, I would excuse that they made a mistake including the private key, but mistakes happen, we are human after all, even Scott have made one or two in his life.
And that release is basically Dell taking the hit, though admittedly they didn't call themselves out in that post.
I most of us can allow mistakes, but Lenovo didn't make a mistake. It wasn't an accident that the hardware was key locked to a code from Lenovo for drivers, it wasn't as mistake that the drivers had SF embedded in the drivers. It wasn't a mistake that they denied these things when they first came to light.
Lenovo was clearly gambling that we would never find out. This Dell thing was an accident/ mistake.
The SMM thing is actually part of the system being used as designed. Computrace has been using it for over a decade to reinstall tracking software on stole devices, the main reason someone brought it up now was two fold: first because Lenovo was in the news for being shady recently, and also because it was doing something that wasn't purchased specifically by the user, unlike computrace.This is key. Lenovo had three "non-accidents" of unprecedented proportions. Did they also have "mistakes" above and beyond those like everyone else? Sure, but we aren't talking about those. We are talking about malicious, unforgivable attacks on their end users. We are talking about a company that hoped they wouldn't get caught, got caught, and kept right on doing it because they don't care.
And bottom line, people using Lenovo at this point don't care (how could you) and are in a position of being implicated in security concerns. Lenovo has lost the security conscious market. That's gone. They've reduced their customer base only to those that value price over security of their organizations at a pretty extreme level. So while smaller, Lenovo now has shown that with the right marketing they can push their current users to any level that they want.
They have an army of people on places like SW who will attack anyone that points out the security or ethics problems, who will cover up issues or try to belittle them. Lenovo has shown that in many cases, marketing is more powerful than security, even to the IT world.
-
@dashrender said in Lenovo - if it's on your network, you ARE breached.:
@donaldlandru said in Lenovo - if it's on your network, you ARE breached.:
@scottalanmiller I will review your links; however, I think the overall point was missed here.
My point is not Lenovo is safe, my point is there are other companies doing the same or similar shady practices and yet they are being marked as safe. Much like officiating, I don't care if someone always is right or wrong, just be consistent.
Dell has (had) Superfish as well, links in my original post, yet that is ok to you because they are not Lenovo
Your article doesn't really have enough information. It doesn't say if it was ever discovered why these certs where included. In the case of Lenovo, we know that Lenovo included 3rd party software that included SuperFish - which is bad enough, but even worse, Lenovo keyed their hardware preventing the use of non SuperFish infected Network Drivers. The Dell article indicates that dell simply included a cert - but again not why. The why is very important.
Furthermore Lenovo released press releases that said that there was nothing wrong with their laptops and that they didn't include such malware, which is clearly false. This was then finally later followed up by new drivers devoid of the SF malware.
HP has the same SMM BIOS remote execution code that is being discussed as Lenovo owning your network. Yet, this thread says HP is safe. Again, on the only argument is that it is nor Lenovo.
The SMM BIOS issue is less an issue for me personally. From my view, the vendors are using these features to assist users getting their systems back to a stable condition. I already responded above saying that Scott is making an overstatement about the use of SMM BIOS codes.
of course, this said - manufactures SHOULD provide a way to disable this in the BIOS/UEFI.Any software that isn't supposed to be there pushed in this way IS malware, period. There is no grey area. If a hostile entity puts things Im' trying to block onto my network, that's malware. That the malware didn't have a chance to do something really malicious and was still in a deployment testing mode makes no difference.
-
@donaldlandru said in Lenovo - if it's on your network, you ARE breached.:
And do you have links to back up these claims? Quite a few Google searches later and at the BIOS level I have not found a vulnerability that was also not found in other manufacturers BIOS as well by other IBV's. This suggests that the issue may be further up the chain. Nasty Lenovo UEFI exploit also affects products from other vendors
No, this is an ADDITIONAL security problem that no one is talking about with Lenovo. That's how bad Lenovo is, their later actual mistakes are bad enough that they have been used to cover up their earlier, far worse non-mistake security issues. What you are listing here is not at all the type of or level of issue that Travis meant by this thread or what any of us mean when talking about the evils of Lenovo. This is just general incompetence or errors that all vendors make.
For all we know, Lenovo did this on purpose knowing that media attention about something that they could mitigate would go a long way to erasing the social memory of the things that they had done before. IT has been shown to have a very, very short memory and whether Lenovo managed to plan a social engineering of it or it was just a happy accident - they actually managed to get positive marketing covering up their unforgivable acts by having a security exploit discovered.
Think about how bad that actually makes it....
- Do unthinkably bad attack on customers.
- Get caught.
- Show no remorse.
- Casually include major security mistake a year later.
- Act quick to make sure it is discovered on your systems first.
- Quickly show that you are not alone and it is a broad industry mistake.
- Use new security hole as a tool to hack the wetware of IT departments and make them feel that all the former Lenovo-specific issues were derived for this "mistake" two years later.
-
@dashrender said in Lenovo - if it's on your network, you ARE breached.:
Junkware on the other hand - sure. Lenovo's own crapware to help them deploy their own drivers, etc. This was after the SF issue, so again, it's not known if actual malware was distributed this way.
That's malware. Plain and simple. When deployed via a rootkit. And more importantly, there was a rootkit!!
-
@donaldlandru said in Lenovo - if it's on your network, you ARE breached.:
@scottalanmiller I will review your links; however, I think the overall point was missed here.
My point is not Lenovo is safe, my point is there are other companies doing the same or similar shady practices and yet they are being marked as safe.
No, this is missing the point. The point is that no one but Lenovo has ever done stuff like this. No one. If you think that there is any other company that you can use as a "see they did this too" then you've missed what has happened. We aren't talking about safe, we are talking about malicious. HPE and Dell are not your enemies, nor are they completely safe. But Lenovo is the actual enemy.
I'm extremely aware of the overall point here and am trying to show why you are missing how this all comes together. Travis wasn't pointing out that Lenovo made mistakes like all companies do, that's something you brought to the discussion. He (and we) are talking about the things that only Lenovo has done that are unlike anything seen in the industry before.
Lenovo is completely unique here. Any attempt to compare to another company, unless you have security examples none of us have ever heard of, means you are missing the discussion and are talking about something different.
-
@scottalanmiller said in Lenovo - if it's on your network, you ARE breached.:
They've reduced their customer base only to those that value price over security of their organizations at a pretty extreme level
This is what's bizarre to me. Even if you price Lenovo side-by-side and spec-for-spec. They are rarely cheaper then their competition. Sometimes they are but mostly they are within a few hundred dollars.
-
@Dashrender said in Lenovo - if it's on your network, you ARE breached.:
@scottalanmiller said in Lenovo - if it's on your network, you ARE breached.:
And the big one, other than Superfish, Lenovo adding rootkits to the hardware in order to deploy malware onto their boxes against the wishes or knowledge of users:
I'm pretty sure this particular one is an over statement by Scott. As far as I know no malware was discovered in this (I'll agree with this term) hardware rootkit. Could it be used this way, absolutely, but I'm currently unaware or not remembering actual malware deployed through this.
Junkware on the other hand - sure. Lenovo's own crapware to help them deploy their own drivers, etc. This was after the SF issue, so again, it's not known if actual malware was distributed this way.Anything delivered by this method would be malware. It's a hijack of your system. Unwanted software deployed to your system like this is malware, period.
I think if you are getting quotes and in different markets they are sometimes super cheap.
-
@scottalanmiller said in Lenovo - if it's on your network, you ARE breached.:
@dashrender said in Lenovo - if it's on your network, you ARE breached.:
Junkware on the other hand - sure. Lenovo's own crapware to help them deploy their own drivers, etc. This was after the SF issue, so again, it's not known if actual malware was distributed this way.
That's malware. Plain and simple. When deployed via a rootkit. And more importantly, there was a rootkit!!
Is it a windows rootkit? Or is it using built in tech by MS and BIOS/UEFI makers as a deployment method?
-
@dashrender said in Lenovo - if it's on your network, you ARE breached.:
@scottalanmiller said in Lenovo - if it's on your network, you ARE breached.:
@dashrender said in Lenovo - if it's on your network, you ARE breached.:
Junkware on the other hand - sure. Lenovo's own crapware to help them deploy their own drivers, etc. This was after the SF issue, so again, it's not known if actual malware was distributed this way.
That's malware. Plain and simple. When deployed via a rootkit. And more importantly, there was a rootkit!!
Is it a windows rootkit? Or is it using built in tech by MS and BIOS/UEFI makers as a deployment method?
It's MS encouraged UEFI rootkit. The rootkit was in firmware. It was only activated against Windows before getting caught. Linux would have been rooted the same though.
-
It's important to understand that Lenovo tried this rootkit deployment while under extreme scrutanty after being caught with superfish and is believed to have still been in a proof of concept phase of the attack without the real payloads having had a chance to be deployed yet.
It's like catching the crooks having broken into your house before they started carrying stuff out and you have to guess whether they were just stealing some food or everything that you owned. But they had already broken in, twice.