Lenovo isn’t doing its reputation any favors with the discovery of another security issue around its pre-loaded PC software.
The latest issue relates to a “feature” in Lenovo’s BIOS firmware that automatically downloads Lenovo software and services, even if the user has performed a clean install of Windows. Microsoft actually allows this practice, but Lenovo’s particular implementation—dubbed “Lenovo Service Engine”—led to a security vulnerability, which an independent security researcher discovered in the April to May timeframe.
In response, Microsoft has put out security guidelines for this BIOS technique, which it calls the “Windows Platform Binary Table.” Because Lenovo Service Engine doesn’t meet those guidelines, Lenovo has stripped the tool from its BIOS firmware in all PCs shipped after June. The company has also released a special disabler tool, and on July 31 released a BIOS update to remove the tool from existing PCs. Dozens of consumer laptop and desktop models are affected, but Lenovo says its Think-brand PCs are not.
Why this matters: There are couple points of concern here. First is the vulnerability itself, which has flown under the radar for months. But just as troubling is the Microsoft-sanctioned mechanism that Lenovo was using to insert its software onto clean Windows installs. (One user on HackerNews described is a “rootkit-like” technique.) It’s entirely possible that other PC vendors are relying on the same mechanism for sneakily installing their own software, but just haven’t run into the same security issues that Lenovo did.
A brief history of Lenovo security woes
The timing is particularly poor for Lenovo, as it's just coming off another security scandal related to bloatware. In January, researchers discovered that a pre-loaded program called Superfish Visual Discovery was able to inject advertisements into the user’s web browser. In the process, Superfish was overriding the security certificates that many websites use to encrypt their data, creating a weakness that could make banking credentials and other sensitive information available to hackers.
Lenovo eventually admitted that it messed up, pushed an update that removed Superfish from affected PCs, and vowed to significantly cut down on the amount of bloatware it installs on laptops and desktops. Still, the company faces a lawsuit over the whole ordeal.
The Lenovo Service Engine issue is unrelated, though it contains at least a whiff of the creepiness that got Lenovo in trouble last time. As The Next Web points out, the software installed by Lenovo Service Engine didn’t just include updates to drivers, firmware, and pre-installed apps, but also sent “system data to a Lenovo server to help us understand how customers use our products.” While Lenovo says it’s not collecting personally identifiable information, the collection itself may be something customers aren’t aware of, and until now haven’t had any control over.