Lenovo X220 Security Risks



  • So, my MacBook Pro has been due a trip to the shop for video card replacement. I got several Lenovo X220 notebook/tablet deals laying around.

    Im looking at popping in 8GB of ram and an SSD, may just load win10 as im not sure about what Linux flavor would even have all the drivers yet.

    But I'm just curious as to the nature of the security issue with lenovo systems. I bought these around 2012 for field techs. Not sure when or how the security problem started, nor what I am exposing myself to in terms of security risks.

    Feedback appreciated. I do enjoy the way it looks like a 1999 laptop on the docking station. Very bulky and retro.


  • Service Provider

    If they are 2012, they probably predate the known security risks which were more recent than that. But if they are from 2012, are they really good enough to deploy?



  • @scottalanmiller said in Lenovo X220 Security Risks:

    If they are 2012, they probably predate the known security risks which were more recent than that. But if they are from 2012, are they really good enough to deploy?

    I think the X220s were from slightly before all that. I remember because I had bought a used X220 that was being shipped to me the week before the superfish announcement. So I ordered laptop, we find out something bad is happening at Lenovo, I get laptop, and superfish is announced the next day, with all the fun that came with that. They very well could be effected, I never trusted mine.


  • Service Provider

    @travisdh1 said in Lenovo X220 Security Risks:

    @scottalanmiller said in Lenovo X220 Security Risks:

    If they are 2012, they probably predate the known security risks which were more recent than that. But if they are from 2012, are they really good enough to deploy?

    I think the X220s were from slightly before all that. I remember because I had bought a used X220 that was being shipped to me the week before the superfish announcement. So I ordered laptop, we find out something bad is happening at Lenovo, I get laptop, and superfish is announced the next day, with all the fun that came with that. They very well could be effected, I never trusted mine.

    Oh, that's closer overlap than I was expecting.



  • @scottalanmiller said in Lenovo X220 Security Risks:

    If they are 2012, they probably predate the known security risks which were more recent than that. But if they are from 2012, are they really good enough to deploy?

    It's just for my use while I await MacBook repair.

    They "were" deployed in 2012 and leftover from an upgrade.


  • Service Provider

    @bigbear said in Lenovo X220 Security Risks:

    @scottalanmiller said in Lenovo X220 Security Risks:

    If they are 2012, they probably predate the known security risks which were more recent than that. But if they are from 2012, are they really good enough to deploy?

    It's just for my use while I await MacBook repair.

    They "were" deployed in 2012 and leftover from an upgrade.

    Throw some Linux on there, Lenovo has more issues with Windows than with Linux.



  • @scottalanmiller said in Lenovo X220 Security Risks:

    @bigbear said in Lenovo X220 Security Risks:

    @scottalanmiller said in Lenovo X220 Security Risks:

    If they are 2012, they probably predate the known security risks which were more recent than that. But if they are from 2012, are they really good enough to deploy?

    It's just for my use while I await MacBook repair.

    They "were" deployed in 2012 and leftover from an upgrade.

    Throw some Linux on there, Lenovo has more issues with Windows than with Linux.

    Tried Ubuntu and couldnt get docking station to work as desired. Also need a really good photoshop replacement for editing GUI interface stuff on current project.

    Open to suggestions though.

    My oldest son called me out "Dad, I didnt know you were a fascist" earlier while I was booting Windows. On my mac I can usually hide Microsoft on the virtual machine I use.


  • Service Provider

    @bigbear said in Lenovo X220 Security Risks:

    @scottalanmiller said in Lenovo X220 Security Risks:

    @bigbear said in Lenovo X220 Security Risks:

    @scottalanmiller said in Lenovo X220 Security Risks:

    If they are 2012, they probably predate the known security risks which were more recent than that. But if they are from 2012, are they really good enough to deploy?

    It's just for my use while I await MacBook repair.

    They "were" deployed in 2012 and leftover from an upgrade.

    Throw some Linux on there, Lenovo has more issues with Windows than with Linux.

    Tried Ubuntu and couldnt get docking station to work as desired. Also need a really good photoshop replacement for editing GUI interface stuff on current project.

    Open to suggestions though.

    My oldest son called me out "Dad, I didnt know you were a fascist" earlier while I was booting Windows. On my mac I can usually hide Microsoft on the virtual machine I use.

    I see, Windows is fascism now? Seems extreme. Especially if Apple is the alternative.



  • @scottalanmiller said in Lenovo X220 Security Risks:

    @bigbear said in Lenovo X220 Security Risks:

    @scottalanmiller said in Lenovo X220 Security Risks:

    @bigbear said in Lenovo X220 Security Risks:

    @scottalanmiller said in Lenovo X220 Security Risks:

    If they are 2012, they probably predate the known security risks which were more recent than that. But if they are from 2012, are they really good enough to deploy?

    It's just for my use while I await MacBook repair.

    They "were" deployed in 2012 and leftover from an upgrade.

    Throw some Linux on there, Lenovo has more issues with Windows than with Linux.

    Tried Ubuntu and couldnt get docking station to work as desired. Also need a really good photoshop replacement for editing GUI interface stuff on current project.

    Open to suggestions though.

    My oldest son called me out "Dad, I didnt know you were a fascist" earlier while I was booting Windows. On my mac I can usually hide Microsoft on the virtual machine I use.

    I see, Windows is fascism now? Seems extreme. Especially if Apple is the alternative.

    He is the one in the house with tape over his microphones and cameras (on laptops, phones and tablets) and who unhooks the Amazon Echo's when no one is looking.

    I love Apple hardware across the board. Software has been waning for several years now on all fronts. :-/



  • Gotta give props to the X220t docking station though, HDMI cable powers my 32" screen just fine. Thought I would have to get a 27" out of the garage.


  • Service Provider

    @bigbear said in Lenovo X220 Security Risks:

    Gotta give props to the X220t docking station though, HDMI cable powers my 32" screen just fine. Thought I would have to get a 27" out of the garage.

    Why would the size make a difference?



  • @scottalanmiller said in Lenovo X220 Security Risks:

    @bigbear said in Lenovo X220 Security Risks:

    Gotta give props to the X220t docking station though, HDMI cable powers my 32" screen just fine. Thought I would have to get a 27" out of the garage.

    Why would the size make a difference

    RIght well, resolution. I am surprised it supports 4k and higher.


  • Service Provider

    @bigbear said in Lenovo X220 Security Risks:

    @scottalanmiller said in Lenovo X220 Security Risks:

    @bigbear said in Lenovo X220 Security Risks:

    Gotta give props to the X220t docking station though, HDMI cable powers my 32" screen just fine. Thought I would have to get a 27" out of the garage.

    Why would the size make a difference

    RIght well, resolution. I am surprised it supports 4k and higher.

    Ah, I don't have any 4K screens, even at the larger sizes.



  • On the superfish note, does installing with a clean MSDN windows 10 download does that negate the risk? I am not using any Lenovo software other than what windows update download for drivers.


  • Service Provider

    @bigbear said in Lenovo X220 Security Risks:

    On the superfish note, does installing with a clean MSDN windows 10 download does that negate the risk? I am not using any Lenovo software other than what windows update download for drivers.

    If you can get that to install and the drivers to work without reaching out to Lenovo for the drivers. MS themselves do not distribute SuperFish, but Lenovo traditionally worked pretty hard to find ways to get it in there, like blocking MS from hosting drivers.



  • @scottalanmiller said in Lenovo X220 Security Risks:

    @bigbear said in Lenovo X220 Security Risks:

    @scottalanmiller said in Lenovo X220 Security Risks:

    @bigbear said in Lenovo X220 Security Risks:

    @scottalanmiller said in Lenovo X220 Security Risks:

    If they are 2012, they probably predate the known security risks which were more recent than that. But if they are from 2012, are they really good enough to deploy?

    It's just for my use while I await MacBook repair.

    They "were" deployed in 2012 and leftover from an upgrade.

    Throw some Linux on there, Lenovo has more issues with Windows than with Linux.

    Tried Ubuntu and couldnt get docking station to work as desired. Also need a really good photoshop replacement for editing GUI interface stuff on current project.

    Open to suggestions though.

    My oldest son called me out "Dad, I didnt know you were a fascist" earlier while I was booting Windows. On my mac I can usually hide Microsoft on the virtual machine I use.

    I see, Windows is fascism now? Seems extreme. Especially if Apple is the alternative.

    Here here!!!



  • @scottalanmiller - If you did a fresh install/custom image that didn't come from Lenovo, how would it be compromised?


  • Service Provider

    @wrx7m said in Lenovo X220 Security Risks:

    @scottalanmiller - If you did a fresh install/custom image that didn't come from Lenovo, how would it be compromised?

    For some Lenovo products, the compromises are hidden in the UEFI and get installed directly from the hardware. For others, they are the only available drivers for the hardware (Lenovo uses modified hardware so that it doesn't match generic drivers) so any working drivers end up bringing the compromises with them. Lenovo's claim to fame is getting past any and all "if I did this, how would the hack me" statements. They've made their hardware itself compromised in some cases.



  • @scottalanmiller said in Lenovo X220 Security Risks:

    @wrx7m said in Lenovo X220 Security Risks:

    @scottalanmiller - If you did a fresh install/custom image that didn't come from Lenovo, how would it be compromised?

    For some Lenovo products, the compromises are hidden in the UEFI and get installed directly from the hardware. For others, they are the only available drivers for the hardware (Lenovo uses modified hardware so that it doesn't match generic drivers) so any working drivers end up bringing the compromises with them. Lenovo's claim to fame is getting past any and all "if I did this, how would the hack me" statements. They've made their hardware itself compromised in some cases.

    I had an annoying experience with their support recently when they ddin't have a mobo in stock for the owner's yoga thinkpad 460 for almost a month. I wasted so much time calling them several times a day and getting the run-around. I can't tell you the number of times a different person told me, "I don't know who told you that, but that is not correct".

    I am looking at going back to Dell. We use Dell for desktops and servers but I did like the thinkpads better (and so do my users).


  • Service Provider

    @wrx7m said in Lenovo X220 Security Risks:

    @scottalanmiller said in Lenovo X220 Security Risks:

    @wrx7m said in Lenovo X220 Security Risks:

    @scottalanmiller - If you did a fresh install/custom image that didn't come from Lenovo, how would it be compromised?

    For some Lenovo products, the compromises are hidden in the UEFI and get installed directly from the hardware. For others, they are the only available drivers for the hardware (Lenovo uses modified hardware so that it doesn't match generic drivers) so any working drivers end up bringing the compromises with them. Lenovo's claim to fame is getting past any and all "if I did this, how would the hack me" statements. They've made their hardware itself compromised in some cases.

    I had an annoying experience with their support recently when they ddin't have a mobo in stock for the owner's yoga thinkpad 460 for almost a month. I wasted so much time calling them several times a day and getting the run-around. I can't tell you the number of times a different person told me, "I don't know who told you that, but that is not correct".

    I am looking at going back to Dell. We use Dell for desktops and servers but I did like the thinkpads better (and so do my users).

    I've had zero good dealings with Lenovo. Even the better ones aren't good and the bad ones are really bad.


Log in to reply
 

Looks like your connection to MangoLassi was lost, please wait while we try to reconnect.