Exploiting a feature originally designed for anti-theft systems, Lenovo has installed programs of dubious value and impossible to remove on its desktop and notebook systems from October 2014 to April 2015.
The operating systems Windows 8 and Windows 10 incorporate a feature that enables PC manufacturers to integrate a Windows executable in the system firmware. This executable can be extracted during the boot and started, allowing the manufacturer to install their own software even when a computer is ” planed ” and runs a clean installation.
If most of the OEM does not seem to make use of this feature, Ars Technica recently found that Lenovo has instead exploited between October 2014 and April 2015 to install a software in some of its desktop and notebook systems. It is software Lenovo Service Engine, which performs different tasks depending on which is installed on a desktop or a notebook.
In the first case the software only collects some basic information (the PC model, the geographic region, date and system ID) and sends them to the Lenovo server only when the first connection of the system to the Internet. The information collected should not allow any kind of user identification, even if the system ID is a unique code for each device.
When LSE is installed on a notebook, will install another application called OneKey Optimizer. It is a software that while addressing some useful activities, such as updating drivers, also performs other functions whose usefulness is rather doubtful, as ” optimization ” of the system and ” cleaning ” file.
The problem, though, is that the Exchange and / or OKO are not reliable software, having shown a number of problems (such as buffer overflow and insecure network connections) that were disclosed to Lenovo and Microsoft in recent months by the researcher Safety Roel Schouwenberg. Following the notifications received from Schouweberg, Lenovo has decided no longer to include in the new LSE systems (products on the market from June should no longer submit software) and has released a firmware update for both notebooks and for desktop.
Tied to the LSE, it was discovered a problem even more annoying and affects unexpectedly operating system Windows 7. In this case, it seems LSE going to replace a system file Windows, autochk.exe, running a disk check all startup. The fake autochk.exe creates system services that bring files on an HTTP connection is not encrypted.
The particulars Lenovo speaks of can overwrite system files, but it is unclear how this can be done on Windows 7 as the ability to launch executables stored in the firmware is a feature included only in Windows 8 and then it is not even clear why should overwrite a file system.
The main purpose of the launch functionality of executable firmware is designed primarily to be able to automatically install the software anti-theft solutions. This type of software does a number of things that require connectivity, such as communicate its position or allow the block to be remote. Since it is not uncommon for laptops see the hard deleted, the functionality is designed to allow you to restore the anti-theft even after the cancellation of the disk and be able to report that the system was stolen.
It is not the only technique that is used in the industry to inject into the operating system solutions anti-theft: in case for example: of one of the solutions more anti-theft equipment, LoJack / Computrace, is used a portion of BIOS code that goes to amend the Windows system files, including autochk.exe. It is possible that the LSE also uses a similar technique when you boot you older operating systems like Windows 7.
Limited to the anti-theft is a sensible and useful feature that leaves, in effect the owner of a system the decision to determine the appropriate level of protection in case of theft. LoJack / Computrace, for example, is normally present in the state ” disabled ” and requires user intervention to be made operational. Very different is the case of the LSE: it is not a software really useful, show safety problems and, moreover, is enabled by default.