Within the last year, there have been approximately five problematic issues with a certain laptop manufacturer’s units. Lenovo has had their security lapses over time. Some are more well-known than others. The latest occurred in November 2015 with a problem in the Lenovo System Update. This functions to update drivers and the BIOS when needed. This is also formerly known as Think Vantage System Update. This issue was found by IOActive. This has not been the last issue Lenovo has encountered.
Newest Security Issue
Along comes June 2016 and new opportunities for errors. A new security issue was discovered by Dmytro Oleksiukaka aka Cr4sh. The issue with the latest oversight is with the BIOS. This has not been a short term issue. This started to appear with model X220 and appears through T450. Lenovo has not been exceptionally happy this occurred and was reported in social media. This showed yet another massive hole in security here. This issue had been title Lenovo Security Advisory LEN-8324 and commonly as ThinkPwn. The vulnerability was confirmed in early July 2016 by Alex James.
This vulnerability allows an attacker to operate the equipment in the System Management Mode (SMM) code on the machine. This would in effect act as a rootkit and disable security features as it allows a person to disable the flash write protection and Secure Boot. This would also allow the attacker to bypass the Virtual Secure Mode (VSM) that is found in Windows 10.
The intent is also in question with this. The vulnerability could have been a simple error in coding. This option does not seem likely as it would have had to go unnoticed through code review (static and dynamic) and any other QA processes. The alternative is this was intentionally coded as a backdoor to be accessed later in a malicious manner. This would, unfortunately, make more sense.
How did this happen?
Lenovo claims and accepts no responsibility for this intentional or unintentional error in coding on their equipment. Operationally Lenovo outsources the BIOS developments. One of their third party Independent BIOS vendors (IBV) (i.e. Insyde Software) developed the BIOS via a copy/paste from Intel. The act of using Intel as a source is not entirely unheard of.
In order to distance itself from the issue and potential liability/costs, Lenovo is attempting to deflect responsibility to the IBV and Intel. Lenovo noted the chain of events in their security advisory. Granted the issue was solely from the IBV, however Lenovo did sell the equipment in order to earn a gross and net profit on each unit. Possibly given the track record of insecurity Lenovo should have monitored the vendors a bit closer.
Info Sec Researcher
Lenovo notes also in the security advisor that they are not pleased with the security researcher that found their oversight. The security researcher, Cr4sh, allegedly did not work well with Lenovo and their timeline to resolve the issue. This may or may not be the case. This is only one side of the issue and at times the manufacturer security teams have their own extended timelines that would not work well with the criticality of the issue.
Constantin, L. (2015, November 15). Lenovo patches serious vulnerabilities in PC system upgrade tool. Retrieved from http://www.pcworld.com/article/3008865/security/lenovo-patches-serious-vulnerabitliies-in-pc-system-update-tool.htm.
Constantin, L. (2016, July 5). Lenovo ThinkPwn UEFI exploit also affects products from other vendors. Retrieved from http://www.computerworld.com/article/3091750
Hill, B. (2016, July 4). Lenovo rocked by critical BIOS vulnerability, fingers point to shoddy intel reference code. Retrieved from http://hothardware.com/news/lenovo-rocked-by-critical-bios-vulnerability
Kopitiambot. (2016, July 5). Critical BIOS vulnerability found in Lenovo PCs; may affect other manufacturers too. Retrieved from https://kopitiambot.com/2016/07.05/critical-bios-vulnerability-found-in-lenovo-pcs-may-affect-other-manufacturers-too/
Lenovo. (2016, June 30). System management mode (SMM) BIOS vulnerability. Retrieved from https://support.lenovo.com/us/en/solutions/len-8324
Veal, N. (2016, July 4). Yet another security flaw found in lenovo pcs. Retrieved from http://mspoweruser.com/yet-another-security-flaw-found-in-lenovo-pcs/
About Charles Parker, II
Charles Parker, II has been working in the info sec field for over a decade, performing pen tests, vulnerability assessments, consulting with small- to medium-sized businesses to mitigate and remediate their issues, and preparing IT and info sec policies and procedures. Mr. Parker’s
background includes work in the banking, medical, automotive, and staffing industries.
Mr. Parker has matriculated and attained the MBA, MSA, JD, LLM, and is in the final stage of the PhD in Information Assurance and Security (ABD) from Capella University. Mr. Parker’s areas of interest include cryptography, AV, and SCADA.