Pinterest Stumbleupon Whatsapp
Ads by Google

Not again, Lenovo. Seriously?

You guessed it. They’ve been caught shipping their customers computers laden with privacy-unfriendly malware, showing that they haven’t learned the lessons from the public outcry over Superfish.

This particular piece of malware runs daily, and collects personal usage data, which is then surreptitiously forwarded to Omniture – an online marketing and web analytics firm that was acquired by Adobe in 2009.

Bizarrely, this particular piece of malware found its way to Lenovo’s ThinkPad, ThinkCentre and ThinkStation PCs. These are the higher-end machines in Lenovo’s lineup, costing as much as an equivalent Apple Computer, and are aimed at power and business users.

So, what happened?

Lenovo Is Spying On You

The first person to discover this particular piece of malware was Michael Horowitz – A columnist for ComputerWorld who pens the Defensive Computing column.

Ads by Google

Horowitz recently purchased two laptops from IBM. The first was a ThinkPad T520, the second was a ThinkPad T420. Both were refurbished, and shipped with fresh installations of Windows 7 Professional.

lenovo-t520

Shortly after acquiring them, he installed TaskSchedulerView. This is a freeware application from NirSoft that makes it simple to see what tasks are scheduled in Windows. In both laptops, he found an entry that concerned him. Each day, his computers were running a program called the“Lenovo Customer Feedback Program 64”.

The identity of the makers of this program is obvious. Its author was “Lenovo”, and the accompanying description said: “This task uploads Customer Feedback Program data to Lenovo”. Actually, it was going to Omniture, the marketing company we mentioned earlier. It’s not totally clear what data they were collecting.

But it is clear they were able to get away with it by burying it in a pages-deep EULA that you almost certainly won’t read. Nobody reads EULAs 10 Ridiculous EULA Clauses That You May Have Already Agreed To 10 Ridiculous EULA Clauses That You May Have Already Agreed To Let’s be honest, no one reads EULA's (End User Licensing Agreement) - we all just scroll down to the bottom and click "I Accept". EULAs are full of confusing legalese to make them incomprehensible to... Read More .

Later in this post, we’re going to talk about how you can remove the Lenovo Customer Feedback Program if you’ve got an affected machine. But first, it’s probably a good idea to start talking about the multiple crimes against privacy Lenovo have committed in the past few months.

SuperFish

Of all of Lenovo’s own-goals over the past month, few were as public and disastrous as the SuperFish debacle of February this year. If you want to read about it in more detail, I suggest you check out Christian Cawley’s reporting of the incident Lenovo Laptop Owners Beware: Your Device May Have Preinstalled Malware Lenovo Laptop Owners Beware: Your Device May Have Preinstalled Malware Chinese computer manufacturer Lenovo has admitted that laptops shipped to stores and consumers in late 2014 had malware preinstalled. Read More , which was excellent.

In short, last year Lenovo shipped a bunch of low-to-mid-end laptops with a piece of software called SuperFish. In Lenovo’s own words, this was to empower consumers to “find and discover products visually”. But really, it was a nasty piece of malware that hijacked users’ web browsers, and inserted their own adverts.

But it did more than that. It injected a self-signed root HTTPS What Is HTTPS & How To Enable Secure Connections Per Default What Is HTTPS & How To Enable Secure Connections Per Default Security concerns are spreading far and wide and have reached the forefront of most everybody's mind. Terms like antivirus or firewall are no longer strange vocabulary and are not only understood, but also used by... Read More certificate, which allowed them to hijack any and all encrypted traffic. HTTPS is what makes online banking and online shopping secure, and SuperFish effectively broke that.

lenovo-superfishcert

Breaking HTTPS also allowed them to inject adverts into secure websites, like Amazon. My colleague Dann Albright wrote an explainer of SSL Hijacking Superfish Hasn't Been Caught Yet: SSL Hijacking Explained Superfish Hasn't Been Caught Yet: SSL Hijacking Explained Lenovo's Superfish malware caused a stir, but the story's not over. Even if you removed the adware from your computer, the same vulnerabilty exists in other online applications. Read More earlier this year. But it also fundamentally undermines your own personal security. What’s worse, it used the same encryption key on each infected machine.

Terrible practice. Terrible security. But believe me, it gets much, much worse.

Unbeatable, BIOS-Based Malware

August this year, it transpired Lenovo had loaded laptops with unwanted malware that couldn’t be removed by wiping your computer.

Let that set in for a second. If you replaced your hard drive and re-installed Windows, you’d still be stuck with it. Your only option would be to either return the laptop to the manufacturer, or install an alternative OS like Linux or BSD.

This malware was hidden in the laptop’s firmware, and abused the anti-theft feature in Windows 8 and 10. Whenever the laptop booted up, the executable would be extracted from the firmware at boot-up and installed. Because it was in the firmware, it was persistent.

lenovo-firmware

Lenovo used this to force the OneKey Optimizer on consumers. This, as Ars Technica pointed out, does some useful system maintenance like update system drivers. But it also does some task of questionable value, like performance “optimizations” and cleaning “system junk files”.

It didn’t help that the OneKey Optimizer is filled with security issues. There are buffer overflows and insecure network connections galore. It’s certainly not something you’d install of your own volition.

Lenovo have stopped shipping laptops with the dodgy firmware, and have issued replacement firmware for affected laptops.

As you can see, Lenovo is a bit of a recidivist in when it comes to disrespecting their customer’s privacy. But how do you deal with the current Lenovo screw-up-du-jour?

How To Fix It

Knowing is the first battle. If your laptop is a ThinkStation, ThinkCenter, or a ThinkPad, you’re potentially infected. First, grab a copy of TaskSchedulerView, and have a look to see if there’s “Lenovo Customer Feedback Program 64” running.

If it’s there, bad luck. Lenovo has been spying on you. That said, you’ve got a few options:

  • Manually remove it from the control panel. Here, it’s listed in Programs and Features. Click Uninstall, and follow the dialogs until you’re done.
  • After 90 days, the malware will ultimately delete itself. Although, I wouldn’t recommend you wait that long, as who knows what it’s phoning home with.
  • You can take control, and replace Windows with GNU/Linux. I recommend Ubuntu Ubuntu: A Beginner's Guide Ubuntu: A Beginner's Guide Curious about Ubuntu, but not sure where to start? Start here: "Ubuntu: An Absolute Beginner's Guide" will teach you everything you need to know about Ubuntu in easy-to-understand language. Read More as an all-purpose desktop OS.

Please Stop Buying Lenovo Products

Lenovo haven’t learned their lessons. They don’t respect their customers. They don’t respect your privacy or security. You shouldn’t buy their products.

Moreover, it shows a blatant lack of respect for their users. If you buy a laptop (and remember, ThinkPads are expensive), you should expect the business relationship to end once you’ve taken ownership of it, except for when it comes to warranties and support. You certainly shouldn’t expect your laptop manufacturer to actively surveil you for their own benefit.

So, please. Once again. Stop buying Lenovo products. It’s the only way they’ll learn.

If you’ve got this piece of badware installed on your computer, or you’d like to recommend an alternative PC manufacturer to Lenovo, I want to hear about it. Leave me a comment below and we’ll chat.

Photo Credit: Chip on Motherboard by VedMe85 (Via Shutterstock)

  1. Lucyrad
    July 27, 2016 at 12:34 am

    I know this post is old at least 1year . First I have to say sorry for not having a good control of English . I purchased a Lenovo laptop 2014 , wonderful , it worked like a charm , but then 2015 I installed windows 10 update to windows 7 sp1 and hell broke loose .With the automatic updates I got all Lenovo's curses : Costumer feedback ,Lenovo driver , Platform service, PM service . My computer started to have a mind on it's own : restarting randomly , freezing , crashing , the mouse won't work , I had to unplug to restart . And to make the story shorter , I reinstalled windows at least 3 times . But Lenovo came back at me with windows 10 automatic updates from Microsoft . I uninstalled everything from Lenovo and what do you know , in one hour everything was back . And so on every day . After uninstalling all crap Lenovo, computer works fine ,until they appear again . I got red of Automatic updates ,Cortana and One drive but Lenovo still install all crap back . So is not Lenovo had me killed is Microsoft allowing all .What do they care my computer is Lenovo ?
    I just think they are together in this . Microsoft have to update windows 10 not computers and drivers . Worst of all , there is no fix for such a fraud , They got my money when I purchased the laptop now they want my life .Thanks Microsoft and Lenovo .Shame on you .

  2. lucio lardi
    June 19, 2016 at 9:07 am

    I have conflicted since last Noevember with a PUP brought by UltraUnzip. I never suspected such a software as I though it was preinstalled and when I realised that UltraUnzip was the problem I thought that maybe I installed it by mistake when preparing my new PC for use. Now your article had spur a second thought - maybe I was right and it came to me preinstalled.

  3. michaelhorowitz
    September 30, 2015 at 10:53 pm

    There are two types of data collection spelled out by Lenovo in their document on the subject

    https://support.lenovo.com/us/en/documents/ht102023

    One type of data collection stops after 90 days, they say, the other does not. The other also does not appear in the list of installed software which is why you have to hack the task scheduler to stop it from running. Or, you can find and modify the dozen programs that feed it data and turn off the data collection in each of them.

  4. steve20202
    September 26, 2015 at 8:49 pm

    Anyone who uses Windows 10, Android, or web browsers without clearing their entire cache every day and using a proxy is in the same boat as Lenovo users. People seem to pick and choose the privacy invasions they're going to be offended by nowadays. If you really want privacy, then you can start by using a Linux distribution and a VPN and even then it's not going to protect you from the government.

  5. Lindsay Gnesios
    September 25, 2015 at 10:30 pm

    It looks like I've got it installed too, but I can't find it in my control panel. Is it listed as something else, like Lenovo Dependency Package or something? That sounds pretty suspicious...

  6. Prateek Agarwal
    September 25, 2015 at 3:26 pm

    This is ridiculous. I heard about it before but this is too much. I was going to buy my next Lenovo Laptop. Now i'll have to think about it...

  7. likefun butnot
    September 24, 2015 at 9:08 pm

    There simply aren't many companies making enterprise-grade client computer product lines. For portable computers, Dell has Latitude and Precision. Toshiba has Tecra and HP has Elitebook... and Lenovo has Thinkpad. That's it. That's the list. Maybe throw in Surface devices from Microsoft and/or Macbook Pros if you're feeling charitable.

    Of those, Lenovo is the only company that offers a global warranty. It also has a long history of shipping extremely rugged, modular hardware that's easily serviced. There's a reason Thinkpad hardware is highly regarded by techies and businesspeople alike.

    I don't have any machines impacted by the current issue, though I do have Tx20 and Tx30 machines (I'm actually typing on a T420 right now). I spot-checked a couple machines and can't find the indicated software on any of them. I'm not sure what OS media or Windows licensing model was used to load Windows on the computers in the article, it is at the very least something optional and probably tied to either OEM media or optional Lenovo-branded software that a technician would have to add after the fact. I checked machines running Windows 7 Enterprise, a Lenovo Windows 7 Pro (Lenovo OEM license) and retail Windows 10 Pro.

    I'm not going to install OneKey Optimizer, but on the surface, it looks very similar to the PC Doctor software that used to ship with most Windows-based laptops. "Optimizers" of any provenance are dubious at best, but software of similar function (less the apparently reporting to a third party) has shipped with branded OEM PCs for at least the last decade.

    Is OneKey actually Malware? Maybe. I think I might break out a Network traffic monitor and see what it's actually sending out. It might be the same sort of BS telemetry that Windows 10 sends to Microsoft (or, hey, that OSX sends to Apple and Android sends to Google) or other fairly innocuous information.

    In any case, it's not forced on your by your system firmware. It does seem to be something that can be removed and it also appears to be an optional install in the first place.

    I'm not saying that there's nothing to worry about or that there isn't an ongoing breach of trust between Lenovo and people using its products, but this does not appear to be an issue on the same level as Superfish and there's really no reason to scream fire in a crowded theater. I especially don't think that the issue as it presently stands is a good reason to boycott Lenovo.

Leave a Reply

Your email address will not be published. Required fields are marked *