User topics

Article topics

Log in Sign up

CAUGHT: Lenovo crams unremovable crapware into Windows laptops – by hiding it in the BIOS

Lenovo has sold laptops bundled with unremovable software that features a bonus exploitable security vulnerability. If the crapware is deleted, or the hard drive wiped and Windows reinstalled from scratch, the laptop's firmware will quietly and automatically reinstall Lenovo's software on the next boot-up. Built into the …

COMMENTS

Post your comment

House rules Send corrections

Add to 'My topics'

Page:

1
2
3
4
Next →

Wednesday 12th August 2015 20:53 GMT Paul Crawford

When is a BIOS not a BIOS?

When if it root-kitting you machine obviously.

But the more serious question is why are open/replicable BIOS not more widely demanded? Are our gov departments happy to buy mass-market PCs with such crap-ware (or even foreign spyware) pre-installed? If not, what are they doing about it? When do we start to see contracts for gov PCs that demand open source BIOS without any shit-ware installed? Only then will there be enough of a commercial pressure for suppliers to make enough details available for reliable 3rd party BIOS to be used.

66 3 Reply
1. Wednesday 12th August 2015 21:36 GMT thames
  
  Re: When is a BIOS not a BIOS?
  
  What you're looking for is called "coreboot". It is open source, it's GPL so vendors can't add some proprietary "extra sauce" without releasing the source (and therefore letting us know what they did), and it does the minimum necessary to boot the OS and then gets out of the way. If you just want to run Linux, then it can boot GRUB 2 directly without any BIOS or EFI, which will then boot your Linux distro. If you want to run an "other OS", then you can use a BIOS (Seabios) or EFI (TianoCore) equivalent, and then boot the OS via that mechanism.
  
  Ironically, the Coreboot web site says that it works on at least 10 models of Lenovo laptop and it ships as the standard firmware on a Lenovo Chromebook.
  
  I'm not a big fan of large complex firmware systems in PCs. Large complex software systems will inevitably have bugs and security holes, and PC hardware vendors are poorly placed to deal with them. I would rather they just booted the OS with a minimum of fuss and let it get on with things. The OS vendors at least are used to dealing with security problems and have established procedures and update channels.
  
  40 1 Reply
  1. Thursday 13th August 2015 04:43 GMT frank ly
    
    @thames Re: When is a BIOS not a BIOS?
    
    "It is open source, it's GPL so vendors can't add some proprietary "extra sauce" without releasing the source ..."
    
    In an ideal world, that is true. We live in a less than ideal one though. Nowadays I'd only feel 'safe' if I could strip and analyse it myself or rely on a trusted review by an independent organisation.
    
    6 3 Reply
2. Wednesday 12th August 2015 21:49 GMT TheVogon
  
  Re: When is a BIOS not a BIOS?
  
  Presumably GCHQ already have a custom version of this...
  
  We need a WPBT table viewer - anyone?
  
  22 1 Reply
  1. Thursday 13th August 2015 06:54 GMT psychonaut
    
    Re: When is a BIOS not a BIOS?
    
    "We need a WPBT table viewer - anyone?"
    
    http://rweverything.com/download/
    
    i use the above to get the win 8 key from the bios, but it has lots of other features. i dont know if it does what you want, but try it and see....i dont have a win 8 laptop at the mo to check...
    
    4 0 Reply
    1. Thursday 13th August 2015 11:59 GMT Anonymous Coward
      
      http://rweverything.com/download/
      
      Ahh.
      
      True this is about as safe a fully loaded MAC 10 in the hands of a school kid, or a C++ compiler in the hands of CS undergrad, but I quite like the option to cause unlimited mayhem.
      
      Thumbs up.
      
      2 0 Reply
      1. Thursday 13th August 2015 12:44 GMT psychonaut
        
        Re: http://rweverything.com/download/
        
        enjoy! i only use it in read mode....
        
        1 0 Reply
    2. Thursday 13th August 2015 13:50 GMT Anonymous Coward
      
      Re: When is a BIOS not a BIOS?
      
      "http://rweverything.com/download/
      
      i use the above to get the win 8 key from the bios, but it has lots of other features. i dont know if it does what you want, but try it and see....i dont have a win 8 laptop at the mo to check..."
      
      Arrgghhh!!!
      
      Friggin Bit9... I'm in IT. It's like they don't trust us...
      
      Bastards.
      
      1 0 Reply
      1. Thursday 13th August 2015 17:38 GMT psychonaut
        
        Re: When is a BIOS not a BIOS?
        
        you could put a new hard disk in it and build win 8, then use it...
        
        all the data you are after is in the bios after all....
        
        1 0 Reply
3. Wednesday 12th August 2015 22:13 GMT Anonymous Coward
  
  Re: When is a BIOS not a BIOS?
  
  That would require someone in Government who even understands what the problem is... no hope in UK then.... they are just a bunch of ignorant oldies who's kids use the internet... and who themselves think that IT is something to do with Candy Crush (played on ipads during work time).
  
  6 16 Reply
  1. Thursday 13th August 2015 09:45 GMT Ben Tasker
    
    Re: When is a BIOS not a BIOS?
    
    That would require someone in Government who even understands what the problem is... no hope in UK then.... they are just a bunch of ignorant oldies who's kids use the internet... and who themselves think that IT is something to do with Candy Crush (played on ipads during work time).
    
    And the Police are all stupid.....
    
    Generalising like that is incredibly dangerous, as it leads to deliberately underestimating a potential enemy/adversary. Yes, there are a lot of people in Politics and the Civil service that don't understand computers, just as the private sector is full of the same types of people, but working on the assumption that there's noone who understands is a bad idea.
    
    You can be reasonably sure that the types employed by GCHQ do understand this, and the potential risks/benefits it presents (depending on what your aim is...), and if CESG or similar make a recommendation against using such kit, most departments will likely (at least half) bear that in mind.
    
    10 0 Reply
  2. Friday 14th August 2015 10:46 GMT F0rdPrefect
    
    "they are just a bunch of ignorant oldies"
    
    My experience is that it is the oldies in government IT who understand the problems, or at least are suspicious of the possible problems, while the youngsters are too gung ho and enthusiastic about new stuff to even think of the risks.
    
    6 0 Reply
4. Thursday 13th August 2015 00:42 GMT Bob Vistakin
  
  Googles "Don't be evil" motto
  
  Who did they have in mind when they coined this, again?
  
  1 1 Reply
5. Thursday 13th August 2015 01:19 GMT Anonymous Coward
  
  Re: When is a BIOS not a BIOS?
  
  Thank god for "secure[sic] boot"
  
  9 0 Reply
6. Friday 14th August 2015 01:02 GMT JeffyPoooh
  
  "Is it safe? Is it safe? Is it safe?"
  
  "Security (theater) Software" is dead.
  
  The game has moved into the 'hardware', which is chock-a-block full of other software. Layers and layers and yet more hidden layers.
  
  There is no solution.
  
  2 0 Reply
Wednesday 12th August 2015 20:55 GMT BillG

It's in China

Lenovo's software also phones home to the Taiwanese giant details of the running system.

Lenovo's commie headquarters is in Beijing. That's mainland Communist China, not the Constitutional Republic of Taiwan.

28 1 Reply
1. Wednesday 12th August 2015 21:23 GMT diodesign
  
  Re: It's in China
  
  "Lenovo's commie headquarters is in Beijing"
  
  Whoops – ok, fixed.
  
  C.
  
  8 1 Reply
  1. Thursday 13th August 2015 02:41 GMT BillG
    
    Re: It's in China
    
    Whoops – ok, fixed.
    
    Thumbs up for fixing it so fast!
    
    5 1 Reply
Wednesday 12th August 2015 21:00 GMT LaeMing

It's almost like...

...they /want/ to go out of business!

The Lenovo brand is, with me at least, now synonymous with dodgyness and anyone willing using it will be treated with great suspicion (of at least their IT credentials).

34 1 Reply
1. Thursday 13th August 2015 03:44 GMT PleebSmash
  
  Re: It's almost like...
  
  Yup, it's on to the next rootkitted adware-laden cheap laptop maker for me.
  
  8 0 Reply
Wednesday 12th August 2015 21:07 GMT Richard Wharram

Windows only though

No effect if blatted with Linux?

13 1 Reply
1. Wednesday 12th August 2015 21:18 GMT Dr Paul Taylor
  
  Re: Windows only though
  
  This is a question. It would be useful to have a definite answer. Does disabling "secure boot", installing Linux from a USB stick and scrubbing M$ remove the Lenovo rootkit?
  
  6 8 Reply
  1. Wednesday 12th August 2015 21:52 GMT admiraljkb
    
    Re: Windows only though
    
    @Dr Paul Taylor The rookit code would still be in the BIOS, but without the corresponding rootkit calling code in Microsoft Windows to execute it, it would lay dormant there.
    
    27 0 Reply
2. Wednesday 12th August 2015 21:28 GMT Dan 55
  
  Re: Windows only though
  
  Well it'll understand it's not NTFS and not do anything or it'll corrupt the drive. Same for BitLocker partitions too I would have thought.
  
  4 2 Reply
  1. Wednesday 12th August 2015 21:57 GMT Dan 55
    
    Re: Windows only though
    
    Replying to my reply, that seems to be true for the Windows 7 autochk.exe method where the file is overwritten by the BIOS.
    
    The Windows 8 and 10 wpbbin.exe method can't be disabled and gets past BitLocker but as it's Windows 8/10 itself which gets the file from the BIOS and runs it. So it seems if you must use Windows 8/10 there's nothing you can do to stop it.
    
    The article seems to say the autochk.exe method and the wpbbin.exe method are part of one rootkit, but the autochk.exe method would be used by the BIOS if Windows 7 is detected and the wpbbin.exe method would be used by Windows 8/10 it checks the BIOS to see if this file is stored in it and if so writes it to the filesystem itself and runs it.
    
    4 0 Reply
  2. Wednesday 12th August 2015 21:57 GMT Anonymous Coward
    
    Re: Windows only though
    
    "Well it'll understand it's not NTFS and not do anything or it'll corrupt the drive. Same for BitLocker partitions too I would have thought."
    
    Are you sure? Anyway I get enough weird shit happening on my Gentoo powered lappy without holes being punched in /usr/bin by the BIOS.
    
    Funnily enough Lenovo laptops used to the darling of the Linux dev brigade due to the way they had a habit of just working. No more and I'm sure Lenovo's S&M dept are crying into their <whatever_they_drink_there>
    
    13 1 Reply
    1. Thursday 13th August 2015 01:17 GMT LaeMing
      
      50 shades of fail.
      
      "I'm sure Lenovo's S&M dept are crying into their <whatever_they_drink_there>"
      
      Possibly they have become confused as to what the "S&M" in their dept. name stands for.
      
      17 0 Reply
      1. Thursday 13th August 2015 01:25 GMT Antonymous Coward
        
        Re: 50 shades of fail.
        
        >Possibly they have become confused as to what the "S&M" in their dept. name stands for.
        
        Empirical evidence would suggest they have a pretty firm grip on it
        
        7 0 Reply
        
        Thursday 13th August 2015 12:11 GMT Mpeler
        
        Re: 50 shades of fail.
        
        Ahhh, so THAT's what Vendor Tie-In means.....
        
        2 0 Reply
    2. Thursday 13th August 2015 08:52 GMT James Pickett
      
      Re: Windows only though
      
      "Lenovo's S&M dept"
      
      They have one of those, too? Wow.
      
      (Having read down, I see I'm not the first to spot this. Must stay in more..)
      
      2 0 Reply
    3. Thursday 13th August 2015 20:38 GMT Fungus Bob
      
      Re: Windows only though
      
      "Lenovo's S&M dept are crying into their <whatever_they_drink_there>"
      
      I'm sure they drink the same poo water Bill Gates does.
      
      https://twitter.com/BillGates/status/631602128574881792/photo/1
      
      1 0 Reply
  3. Thursday 13th August 2015 03:07 GMT Teiwaz
    
    Re: Windows only though
    
    Well it'll ~~understand~~ be confused it's not NTFS and not do anything or it'll corrupt the drive. Same for BitLocker partitions too I would have thought.
    
    This is more likely.
    
    0 3 Reply
3. Wednesday 12th August 2015 21:57 GMT bjr
  
  Re: Windows only though
  
  It can't effect Linux for several reasons, first it's looking for a Windows installation and it won't find one, second it's looking for an NTFS file system, it won't know what to do with EXT4, and finally windows binaries won't run on Linux except under WINE which they won't be using.
  
  12 0 Reply
  1. Wednesday 12th August 2015 22:08 GMT Dan 55
    
    Re: Windows only though
    
    It could misunderstand ext4 as it tries to read it as NTFS and corrupt the filesystem if it's badly written.
    
    4 9 Reply
    1. Thursday 13th August 2015 10:09 GMT Nigel 11
      
      Re: Windows only though
      
      t could misunderstand ext4 as it tries to read it as NTFS and corrupt the filesystem if it's badly written.
      
      It could. Then your system would fail fsck after every boot (if it managed to boot at all). Then you'd send it back as having a defective hard disk. Then the replacement wouldn't work either. Then you'd demand a refund from your supplier as "goods not fit for purpose".
      
      They *might* try labelling it very clearly as usable with Windows only. At least then you'd know what not to buy. This is assuming that MS would allow use of their trademark in this way. Given their previous history with the EU authorities, I'd advise them against it.
      
      The greater risk would be if it shipped with a BIOS that understood Linux filesystems, and rootkitted them as well. Are we sure that they don't? Maybe it's time to start putting / on an encrypted FS even if you don't want /home to be on one!
      
      3 0 Reply
      1. Thursday 13th August 2015 11:56 GMT Dan 55
        
        Re: Windows only though
        
        I've been taught not to trust the filesystem detecting corruption but then again I use a Mac which has HFS+ which is a heap of crap... Only btrfs and zfs checksum files.
        
        1 0 Reply
  2. Thursday 13th August 2015 07:48 GMT saif
    
    Re: Windows only though
    
    I guess the probability s that most people who will buy a windows PC for a Linux install, will probably want to try and dual boot. Certainly this was what i had in mind when I tried to install Linux variants (e.g. Ubuntu) on a some budget Lenovo E50 desktops. No amount of tweak and configuration/boot repair would allow Linux to boot....the UEFI boot order would always revert to Windows boot first, unless I crippled the windows boot altogether.
    
    2 0 Reply
  3. Thursday 13th August 2015 13:14 GMT BlartVersenwaldIII
    
    Re: Windows only though
    
    Of course, there'd be nothing to stop lenovo or whoever adding an ext4 driver and a linux executable to their UEFI image so that they could compromise more than just windows. Just because it can't affect linux right now doesn't mean it won't eventually be co-opted by your friendly local UEFI supplier...
    
    Be interesting if anyone out there knows how easy it is to modify a UEFI image to shoehorn this stuff in. Are all UEFI images typically cryptographically signed?
    
    0 1 Reply
4. Wednesday 12th August 2015 22:08 GMT thames
  
  Re: Windows only though
  
  It's a standard MS Windows feature (Microsoft Windows Platform Binary Table) which Lenovo is making use of. The Lenovo software isn't loading itself. It simply sits in flash and lists itself as being available. MS Windows looks to see if it's there, and if so copies it onto the hard drive and executes it. It's an alternative to injecting the software directly into the install image. The documentation isn't clear, but I imagine that it was meant to allow enterprise IT staff to use their own generic Windows install images but still automatically provision the vendor specific stuff.
  
  If you installed Linux (e.g. Ubuntu) then the bits would simply sit there as there is no equivalent feature in Linux. The same obviously applies to BSD. It requires an active effort by the OS to load. The "rootkit" stories are a bit off target, in that it isn't something which is hidden from the OS. Rather it's a standard Windows feature which not many people were aware of.
  
  I would not be surprised if many other PC makers were doing the same thing, especially for their business oriented models. The only thing Lenovo may be doing is using it for more things than Microsoft had originally planned.
  
  Generally though, I think the feature was a bit of a bad idea by Microsoft to begin with. There's no guarantee that the software being loaded from the flash chips will be compatible with future versions of Windows, and there's no obvious provision for updating it when installing the new version of Windows. More than a few people would toss out the PC after scratching their heads for a while and then assuming there was some mysterious hardware incompatibility with Windows.
  
  44 0 Reply
  1. Wednesday 12th August 2015 23:47 GMT J.Goodwin
    
    Re: Windows only though
    
    It's complimentary to the process that allows you to install windows onto major vendor laptops without a key (the vendor authorization keys are stored in the bios in a similar manner).
    
    Sounds like a well-intentioned feature that wasn't quite thought through properly. Another possible attack vector if you have physical access to the machine, and a really poor use of it by Lenovo.
    
    10 0 Reply
  2. Thursday 13th August 2015 01:55 GMT Joe Zeff
    
    Re: Windows only though
    
    You do understand, don't you, that Ubuntu != Linux? In fact, if I were responsible for setting up a corporate system and was told to use Linux, Ubuntu would be one of my last choices, because of the need for regular updates. (Fedora, which I use at home, would be the very last choice because of its rapid-release cycle.) No, I'd take something like CentOS, so that I wouldn't have to worry about updates breaking things. Businesses need stability much, much more than they need to be running bleeding edge software.
    
    8 18 Reply
    1. Thursday 13th August 2015 03:38 GMT Teiwaz
      
      Re: Windows only though
      
      Re: ~~Windows~~ ~~Ubuntu~~ CentOS (apparently) only though
      
      @ Joe Zeff
      
      "Linux (e.g. Ubuntu)".
      
      'e.g' = abbreviation for exempli gratia: a Latin phrase that means "for example".
      
      I doubt you'll find a 'Reg' commentard that doesn't know Linux doesn't necessarily mean Ubuntu.
      
      And as for the O/T rant about updates...?
      
      22 0 Reply
  3. Thursday 13th August 2015 02:33 GMT Anonymous Coward
    
    @thames - Re: Windows only though
    
    Nothing is hidden from the OS, with a rootkit stuff is hidden from the end-user.
    
    3 1 Reply
    1. Thursday 13th August 2015 10:26 GMT Nigel 11
      
      Re: @thames - Windows only though
      
      Nothing is hidden from the OS, with a rootkit stuff is hidden from the end-user.
      
      Not true, if something has write access to the OS kernel copied into RAM before it is invoked. Which is exactly what a BIOS does have. It's even able to subvert the bootloader, which comes before the OS and which is equally capable of subverting any OS it loads.
      
      A simple example with non-malicious intent, would be to intercept disk IO operations and to cause any access above a nice round number to return an error as if the disk were that nice round number in size. This was actually used back in the days when disk manufacturers were playing sillybuggers shipping a 1002Mb drive that was bigger than a 1000Mb drive so if you bought a manufacturer X disk and used all its available capacity, you couldn't later replace it with a manufacturer Y "1Gb" disk. Of course, then manufacturer Y shipped a 1002.25Mb disk ....
      
      There's also Ring -1, the hypervisor, to consider in the case of Intel CPUs, though I'll accept that in this context you may use OS to refer to the hypervisor itself, not the OSes that it supervises.
      
      3 0 Reply
      1. Thursday 13th August 2015 12:15 GMT Mpeler
        
        Re: @thames - Windows only though
        
        Hmmm.... couple this with the ring -2 issue from Intel and it sounds like a wild party for all.....
        
        Of course we mortal users are fscked......
        
        OK, I'll just go cry in my beer.... here, have one too.....
        
        1 0 Reply
      2. Friday 14th August 2015 10:32 GMT Szifu
        
        Re: @thames - Windows only though
        
        There will be a tool in the most linux distributions that may in future act as the pendant to WPBT
        
        The from RedHat developed systemd has all needed functionality to hide everythink from user. When BIOS inject a function to load something from net, and this is function as a module of systemd....
        
        I think that 99.5% of users or admins will never find this.
        
        I don't trust systemd of its capability to hide or manipulate anythink between user, kernel, ipstack or drivers. It acts as a kraken. I will back to init.d to protect my systems from this crap.
        
        2 0 Reply
  4. Thursday 13th August 2015 13:33 GMT launcap
    
    Re: Windows only though
    
    > I think the feature was a bit of a bad idea by Microsoft to begin with.
    
    I suspect it's also the first step in Microsoft trying to provide the facility that Mac machines have - the ability for a bare-metal machine to do a full install from Apple via the Internet.
    
    Of course, Apple has much tighter control over the hardware and firmware - Microsoft would have to trust that the OEM does a good job of making sure that all the relevent h/w drivers are also present to allow the machine to connect. And we all know how fully trustable the OEMs are eh?
    
    3 0 Reply
    1. Friday 14th August 2015 06:53 GMT Dan 55
      
      Re: Windows only though
      
      It's not for online Windows installation, if your Windows installation is hosed it's never going to get to the stage of executing the file held in the BIOS.
      
      0 0 Reply
  5. Thursday 13th August 2015 16:27 GMT Woodnag
    
    Re: Windows only though
    
    So is there a patch for WinX to stop the BIOS being tested and executed?
    
    Then could install Win with the machine internet-free, patch it, then connect and do the post-install upgrades.
    
    0 0 Reply
  6. Thursday 13th August 2015 23:37 GMT x 7
    
    Re: Windows only though
    
    The interesting question is.....how were Lenovo going to install any future driver or software updates? Presumably any subsequent updates would be overwritten and rolled back by the BIOS injection
    
    0 1 Reply

Page:

1
2
3
4
Next →

POST COMMENT House rules

Not a member of The Register? Create a new account here.

Other stories you might like

Want to keep Windows 10 secure? This is how much Microsoft will charge you

Updated Hint: It will keep going up

OSes 3 Apr 2024 | 106

Microsoft lifts years-old compatibility hold for Windows 11

It probably wasn't only sound driver problems that kept users away

OSes 15 Apr 2024 | 12

Microsoft to use Windows 11 Start menu as a billboard with app ads for Insiders

This wasn't what most had in mind when Redmond promised to make the feature 'great again'

OSes 15 Apr 2024 | 109

Open source versus Microsoft: The new rebellion begins

Opinion Neither side can afford to lose, but one surely must

SaaS 15 Apr 2024 | 176

German state ditches Windows, Microsoft Office for Linux and LibreOffice

'Complete digital sovereignty' ... sounds familiar

Software 4 Apr 2024 | 184

How a single buck bought bragging rights in the battle to port Windows 95 to NT

It reached the desktop and then ...

Offbeat 28 Mar 2024 | 137

Lenovo scores deal to build supercomputer at UK's Hartree Center

Liquid cooled, 44.7 Petaflops and with unspecified GPUs

Public Sector 27 Mar 2024 | 6

Chrome for Windows-Arm laptops officially lands in time for Snapdragon X Elite kit

At last, no more crappy emulation or experimental builds

OSes 26 Mar 2024 | 16

Windows Format dialog waited decades for UI revamp that never came

'Temporary' isn't always

OSes 27 Mar 2024 | 64

Microsoft gets new Windows boss as Start Menu man Parakhin 'to explore new roles'

More MS moves just a week after new AI unit and other changes announced

OSes 26 Mar 2024 | 62

It's 2024 and North Korea's Kimsuky gang is exploiting Windows Help files

New infostealer may indicate a shift in tactics – and maybe targets too, beyond Asia

Research 21 Mar 2024 | 5

Microsoft defends barging in on Chrome with pop-up ads pushing Bing, GPT-4

We thought you people wanted choice, IT colossus sniffs

Applications 15 Mar 2024 | 62

The Register Biting the hand that feeds IT

About Us

Our Websites

Your Privacy

Situation Publishing

Copyright. All rights reserved © 1998–2024