Lenovo - if it's on your network, you ARE breached.
-
@donaldlandru said in Lenovo - if it's on your network, you ARE breached.:
@travisdh1 said in Lenovo - if it's on your network, you ARE breached.:
@donaldlandru said in Lenovo - if it's on your network, you ARE breached.:
@travisdh1 said in Lenovo - if it's on your network, you ARE breached.:
@black3dynamite said in Lenovo - if it's on your network, you ARE breached.:
This is an issue when using Windows only?
No, everything.
Superfish is included with the wifi drivers to a point that the wireless chips will not work without it. As for the BIOS level access, well, that's as bad as it gets.
I don't know what Wi-Fi chipset you have; however, we have the direct from Intel drivers so if SuperFish is included here I don't think that is a Lenovo issue.
That's great, you're entire network has already been pwnd tho, thanks to that absolutely assinine BIOS code.
And do you have links to back up these claims? Quite a few Google searches later and at the BIOS level I have not found a vulnerability that was also not found in other manufacturers BIOS as well by other IBV's. This suggests that the issue may be further up the chain. Nasty Lenovo UEFI exploit also affects products from other vendors
While it does not excuse the behavior, the worst thing I have seen in this Lenovo issue, is not what they have done, yet simply the fact they were not up front about it.
Why so I not see any posts saying to banish Siri enabled devices from the network? IBM thought Apple storing transcripts and recordings of interactions was a threat.
How about Barracuda? Between large subnets of allowed addresses on their support ports and hard coded common passwords, I don't see any if you have Barracuda, Russia owns your network posts.Samsung TV's, Amazon Echo's, Google Homes, and other platforms do nothing but use methods to scan your network and force control over your devices and collect data, yet no screams for bans on those.
While a poor example, Windows 10 does almost everything Lenovo is getting cheap for natively. (E.g. Telemetry, you can't turn it 100% off. If you remove an update it automatically puts itself back on. Hell even today I had a machine with expired WebRoot, my only options were to renew webroot or install Windows Defender before continuing) the last one may actually be webroot doing the nagging I have not confirmed that.
Now let be clear, I am not going out and saying Lenovo's are 100% safe, in fact my research today on this topic shows it is not. However, that same research shows no manufacturer is safe. Check out this article on eDellRoot Dell computers with the eDellRoot root certificate may allow attackers to sign SSL/TLS certificates as legitimate sources and can be vulnerable to man-in-the-middle attacks. Even without the article pointing out several times this being reminiscent of Superfish it sounds pretty close to me.
I would support the title of this post being
Some Lenovo consumer modelscomputers are susceptible to really shady things because manufactures want to make money, but the title as is, in my opinion, does not accurately represent the situation.Edit: added source for BIOS claim. Updated closing thoughts based on additional research.
During my search, I think the comment found below sums up the whole thing.
NOT intending to excuse Lenovo, but I work in the business, and ALL major companies (HP, Microsoft, Apple, Google, AT&T, Verizon, Comcast, etc...) Hate Us, and would happily sell razor blades to babies if they could figure out how to weather the lawsuits & still turn a profit...Actually yes. We should be years past anyone asking for proof yet again. This is a dead horse. Lenovo was all over the news time and time again. This isn't anything that came from ML. This is "if people don't know by now they are ignoring it" territory. It's been all over every major IT news outlet for years.
-
I'm a bit shocked that anyone is questioning that there might be some grey area in which Lenovo might be in any way acceptable to use. There is no vendor, ever, to have worked this way. Lenovo is completely unprecedented in the depth, breadth, audacity or repetition of their attacks.
-
@donaldlandru said in Lenovo - if it's on your network, you ARE breached.:
@travisdh1 said in Lenovo - if it's on your network, you ARE breached.:
@black3dynamite said in Lenovo - if it's on your network, you ARE breached.:
This is an issue when using Windows only?
No, everything.
Superfish is included with the wifi drivers to a point that the wireless chips will not work without it. As for the BIOS level access, well, that's as bad as it gets.
I don't know what Wi-Fi chipset you have; however, we have the direct from Intel drivers so if SuperFish is included here I don't think that is a Lenovo issue.
Part of the issue was that with some of the Lenovos was that they used special chipsets that had only one source and no matter how you acquired it, Superfish was included. NOW, only after being caught and legal issues pressed, drivers are available from other sources. You are looking at this AFTER they were busted, not before. Originally, all available drivers for some Lenovo models had Superfish in them. Your only options were to have Superfish or to use a different OS. In that one particular case, Linux provided a fix to the issue.
After course, now long after being caught, they had to release drivers that don't have any known hijacks in them. That you have drivers today without superfish isn't indicative of anything.
-
@donaldlandru said in Lenovo - if it's on your network, you ARE breached.:
I would support the title of this post being
Some Lenovo consumer modelscomputers are susceptible to really shady things because manufactures want to make money, but the title as is, in my opinion, does not accurately represent the situation.Except it was commercial models, as is well known, that were affected. This "we rebranded things that were breached as consumer after the fact" BS is seriously bad and itself is a security concern. No IT person should ever repeat this. It's completely false and totally misleading and is a result of Lenovo socially engineering their customers. As we say in IT, the biggest risk is people not technology and that you are repeating this incorrect information tells us that you have been compromised by Lenovo. You actually just proved our point, Lenovo has manipulated you into repeating a security falsehood to promote their attacks. This shows the extent to their devious nature.
Travis even mentioned this in the OP. There is zero question here, commercial models are where this was discovered. It's actually all commercial, NOT consumer, that we are aware of as issues.
It was actually because it was commercial units that made finding Superfish so easy because it was equipment specifically for IT pros with Windows 10 Pro on it that made Superfish easy to spot because SF breaks sites like MangoLassi and also breaks ActiveDirectory. Both of those things were reported on ML while troubleshooting the first Superfish discovery and led to figuring out that the network was being shimmed.
-
@donaldlandru said in Lenovo - if it's on your network, you ARE breached.:
NOT intending to excuse Lenovo, but I work in the business, and ALL major companies (HP, Microsoft, Apple, Google, AT&T, Verizon, Comcast, etc...) Hate Us, and would happily sell razor blades to babies if they could figure out how to weather the lawsuits & still turn a profit...
But that is what you are doing. Not a one of those examples is even remotely like Lenovo. Not a one has come close as to how bad it was, not one has come close to doing it repeatedly. That you'd mention any of those as some sort of comparison means either that you are trying to make Lenovo sound better than it is or you don't understand what Lenovo has done that we are discussing. There are no known issues in IT history that are comparable to Lenovo. Not a one. And Lenovo has done it more than once.
If you want to have an honest discussion about Lenovo, you can't mention stuff like this nor repeat Lenovo's own false social engineering security attacks to make them sound reasonable or plausible. If for no other reason, someone reading this thread might actually think that what Lenovo has done might not be absolutely true (it is, it's all over the news, it's beyond reasonable question, it's happened to people you know, it was discovered on a machine you've seen first hand by people you know personally, it actively disabled the very site we are writing on to discuss it) or that the degree to which this was unthinkably bad isn't what it is.
-
The Pentagon seems to agree that Lenovo is a specific threat that other vendors are not. They don't see other vendors in the same light:
https://mangolassi.it/topic/11320/pentagon-warns-against-using-lenovo-equipment
-
Don't forget this one reported by Webroot...
https://mangolassi.it/topic/7748/lenovo-screws-the-pooch-yet-again-on-the-security-front
-
And the big one, other than Superfish, Lenovo adding rootkits to the hardware in order to deploy malware onto their boxes against the wishes or knowledge of users:
-
All of those original threads have links to original sources, ML is not the source of anything originally except, of course, for Superfish which was discovered here first.
-
@scottalanmiller I will review your links; however, I think the overall point was missed here.
My point is not Lenovo is safe, my point is there are other companies doing the same or similar shady practices and yet they are being marked as safe. Much like officiating, I don't care if someone always is right or wrong, just be consistent.
Dell has (had) Superfish as well, links in my original post, yet that is ok to you because they are not Lenovo
HP has the same SMM BIOS remote execution code that is being discussed as Lenovo owning your network. Yet, this thread says HP is safe. Again, on the only argument is that it is nor Lenovo.
-
@scottalanmiller said in Lenovo - if it's on your network, you ARE breached.:
And the big one, other than Superfish, Lenovo adding rootkits to the hardware in order to deploy malware onto their boxes against the wishes or knowledge of users:
I'm pretty sure this particular one is an over statement by Scott. As far as I know no malware was discovered in this (I'll agree with this term) hardware rootkit. Could it be used this way, absolutely, but I'm currently unaware or not remembering actual malware deployed through this.
Junkware on the other hand - sure. Lenovo's own crapware to help them deploy their own drivers, etc. This was after the SF issue, so again, it's not known if actual malware was distributed this way. -
@donaldlandru said in Lenovo - if it's on your network, you ARE breached.:
@scottalanmiller I will review your links; however, I think the overall point was missed here.
My point is not Lenovo is safe, my point is there are other companies doing the same or similar shady practices and yet they are being marked as safe. Much like officiating, I don't care if someone always is right or wrong, just be consistent.
Dell has (had) Superfish as well, links in my original post, yet that is ok to you because they are not Lenovo
Your article doesn't really have enough information. It doesn't say if it was ever discovered why these certs where included. In the case of Lenovo, we know that Lenovo included 3rd party software that included SuperFish - which is bad enough, but even worse, Lenovo keyed their hardware preventing the use of non SuperFish infected Network Drivers. The Dell article indicates that dell simply included a cert - but again not why. The why is very important.
Furthermore Lenovo released press releases that said that there was nothing wrong with their laptops and that they didn't include such malware, which is clearly false. This was then finally later followed up by new drivers devoid of the SF malware.
HP has the same SMM BIOS remote execution code that is being discussed as Lenovo owning your network. Yet, this thread says HP is safe. Again, on the only argument is that it is nor Lenovo.
The SMM BIOS issue is less an issue for me personally. From my view, the vendors are using these features to assist users getting their systems back to a stable condition. I already responded above saying that Scott is making an overstatement about the use of SMM BIOS codes.
of course, this said - manufactures SHOULD provide a way to disable this in the BIOS/UEFI. -
@donaldlandru said in Lenovo - if it's on your network, you ARE breached.:
@scottalanmiller I will review your links; however, I think the overall point was missed here.
My point is not Lenovo is safe, my point is there are other companies doing the same or similar shady practices and yet they are being marked as safe. Much like officiating, I don't care if someone always is right or wrong, just be consistent.
Lenovo forcing the use of their own SuperFish'ed driver via hardware locks is what makes Lenovo so untrustable. This is unforgivable to me. They were very well aware that they were installing a network shim on these computers. If you agree they were unaware of the harm available via this shim, then you must also agree that they are incapable of making good hardware (secure) because they lack fundamental understandings of that hardware platform and should be out of business. If they did understand the harm available due to this shim, then they are complicate in the act, and should also be out of business.
-
@dashrender said in Lenovo - if it's on your network, you ARE breached.:
Your article doesn't really have enough information. It doesn't say if it was ever discovered why these certs where included
I was trying to avoid manufacturer links however here is Dell's statement
Doesn't excuse the blatant security risk they created by doing it
-
Ok fine, I would excuse that they made a mistake including the private key, but mistakes happen, we are human after all, even Scott have made one or two in his life.
And that release is basically Dell taking the hit, though admittedly they didn't call themselves out in that post.
I most of us can allow mistakes, but Lenovo didn't make a mistake. It wasn't an accident that the hardware was key locked to a code from Lenovo for drivers, it wasn't as mistake that the drivers had SF embedded in the drivers. It wasn't a mistake that they denied these things when they first came to light.
Lenovo was clearly gambling that we would never find out. This Dell thing was an accident/ mistake.
The SMM thing is actually part of the system being used as designed. Computrace has been using it for over a decade to reinstall tracking software on stole devices, the main reason someone brought it up now was two fold: first because Lenovo was in the news for being shady recently, and also because it was doing something that wasn't purchased specifically by the user, unlike computrace. -
@dashrender said in Lenovo - if it's on your network, you ARE breached.:
Ok fine, I would excuse that they made a mistake including the private key, but mistakes happen, we are human after all, even Scott have made one or two in his life.
And that release is basically Dell taking the hit, though admittedly they didn't call themselves out in that post.
I most of us can allow mistakes, but Lenovo didn't make a mistake. It wasn't an accident that the hardware was key locked to a code from Lenovo for drivers, it wasn't as mistake that the drivers had SF embedded in the drivers. It wasn't a mistake that they denied these things when they first came to light.
Lenovo was clearly gambling that we would never find out. This Dell thing was an accident/ mistake.
The SMM thing is actually part of the system being used as designed. Computrace has been using it for over a decade to reinstall tracking software on stole devices, the main reason someone brought it up now was two fold: first because Lenovo was in the news for being shady recently, and also because it was doing something that wasn't purchased specifically by the user, unlike computrace.This is key. Lenovo had three "non-accidents" of unprecedented proportions. Did they also have "mistakes" above and beyond those like everyone else? Sure, but we aren't talking about those. We are talking about malicious, unforgivable attacks on their end users. We are talking about a company that hoped they wouldn't get caught, got caught, and kept right on doing it because they don't care.
And bottom line, people using Lenovo at this point don't care (how could you) and are in a position of being implicated in security concerns. Lenovo has lost the security conscious market. That's gone. They've reduced their customer base only to those that value price over security of their organizations at a pretty extreme level. So while smaller, Lenovo now has shown that with the right marketing they can push their current users to any level that they want.
They have an army of people on places like SW who will attack anyone that points out the security or ethics problems, who will cover up issues or try to belittle them. Lenovo has shown that in many cases, marketing is more powerful than security, even to the IT world.
-
@dashrender said in Lenovo - if it's on your network, you ARE breached.:
@donaldlandru said in Lenovo - if it's on your network, you ARE breached.:
@scottalanmiller I will review your links; however, I think the overall point was missed here.
My point is not Lenovo is safe, my point is there are other companies doing the same or similar shady practices and yet they are being marked as safe. Much like officiating, I don't care if someone always is right or wrong, just be consistent.
Dell has (had) Superfish as well, links in my original post, yet that is ok to you because they are not Lenovo
Your article doesn't really have enough information. It doesn't say if it was ever discovered why these certs where included. In the case of Lenovo, we know that Lenovo included 3rd party software that included SuperFish - which is bad enough, but even worse, Lenovo keyed their hardware preventing the use of non SuperFish infected Network Drivers. The Dell article indicates that dell simply included a cert - but again not why. The why is very important.
Furthermore Lenovo released press releases that said that there was nothing wrong with their laptops and that they didn't include such malware, which is clearly false. This was then finally later followed up by new drivers devoid of the SF malware.
HP has the same SMM BIOS remote execution code that is being discussed as Lenovo owning your network. Yet, this thread says HP is safe. Again, on the only argument is that it is nor Lenovo.
The SMM BIOS issue is less an issue for me personally. From my view, the vendors are using these features to assist users getting their systems back to a stable condition. I already responded above saying that Scott is making an overstatement about the use of SMM BIOS codes.
of course, this said - manufactures SHOULD provide a way to disable this in the BIOS/UEFI.Any software that isn't supposed to be there pushed in this way IS malware, period. There is no grey area. If a hostile entity puts things Im' trying to block onto my network, that's malware. That the malware didn't have a chance to do something really malicious and was still in a deployment testing mode makes no difference.
-
@donaldlandru said in Lenovo - if it's on your network, you ARE breached.:
And do you have links to back up these claims? Quite a few Google searches later and at the BIOS level I have not found a vulnerability that was also not found in other manufacturers BIOS as well by other IBV's. This suggests that the issue may be further up the chain. Nasty Lenovo UEFI exploit also affects products from other vendors
No, this is an ADDITIONAL security problem that no one is talking about with Lenovo. That's how bad Lenovo is, their later actual mistakes are bad enough that they have been used to cover up their earlier, far worse non-mistake security issues. What you are listing here is not at all the type of or level of issue that Travis meant by this thread or what any of us mean when talking about the evils of Lenovo. This is just general incompetence or errors that all vendors make.
For all we know, Lenovo did this on purpose knowing that media attention about something that they could mitigate would go a long way to erasing the social memory of the things that they had done before. IT has been shown to have a very, very short memory and whether Lenovo managed to plan a social engineering of it or it was just a happy accident - they actually managed to get positive marketing covering up their unforgivable acts by having a security exploit discovered.
Think about how bad that actually makes it....
- Do unthinkably bad attack on customers.
- Get caught.
- Show no remorse.
- Casually include major security mistake a year later.
- Act quick to make sure it is discovered on your systems first.
- Quickly show that you are not alone and it is a broad industry mistake.
- Use new security hole as a tool to hack the wetware of IT departments and make them feel that all the former Lenovo-specific issues were derived for this "mistake" two years later.
-
@dashrender said in Lenovo - if it's on your network, you ARE breached.:
Junkware on the other hand - sure. Lenovo's own crapware to help them deploy their own drivers, etc. This was after the SF issue, so again, it's not known if actual malware was distributed this way.
That's malware. Plain and simple. When deployed via a rootkit. And more importantly, there was a rootkit!!
-
@donaldlandru said in Lenovo - if it's on your network, you ARE breached.:
@scottalanmiller I will review your links; however, I think the overall point was missed here.
My point is not Lenovo is safe, my point is there are other companies doing the same or similar shady practices and yet they are being marked as safe.
No, this is missing the point. The point is that no one but Lenovo has ever done stuff like this. No one. If you think that there is any other company that you can use as a "see they did this too" then you've missed what has happened. We aren't talking about safe, we are talking about malicious. HPE and Dell are not your enemies, nor are they completely safe. But Lenovo is the actual enemy.
I'm extremely aware of the overall point here and am trying to show why you are missing how this all comes together. Travis wasn't pointing out that Lenovo made mistakes like all companies do, that's something you brought to the discussion. He (and we) are talking about the things that only Lenovo has done that are unlike anything seen in the industry before.
Lenovo is completely unique here. Any attempt to compare to another company, unless you have security examples none of us have ever heard of, means you are missing the discussion and are talking about something different.