Pinterest Stumbleupon Whatsapp
Advertisement

Not again, Lenovo. Seriously?

You guessed it. They’ve been caught shipping their customers computers laden with privacy-unfriendly malware, showing that they haven’t learned the lessons from the public outcry over Superfish.

This particular piece of malware runs daily, and collects personal usage data, which is then surreptitiously forwarded to Omniture – an online marketing and web analytics firm that was acquired by Adobe in 2009.

Bizarrely, this particular piece of malware found its way to Lenovo’s ThinkPad, ThinkCentre and ThinkStation PCs. These are the higher-end machines in Lenovo’s lineup, costing as much as an equivalent Apple Computer, and are aimed at power and business users.

So, what happened?

Lenovo Is Spying On You

The first person to discover this particular piece of malware was Michael Horowitz – A columnist for ComputerWorld who pens the Defensive Computing column.

Advertisement

Horowitz recently purchased two laptops from IBM. The first was a ThinkPad T520, the second was a ThinkPad T420. Both were refurbished, and shipped with fresh installations of Windows 7 Professional.

lenovo-t520

Shortly after acquiring them, he installed TaskSchedulerView. This is a freeware application from NirSoft that makes it simple to see what tasks are scheduled in Windows. In both laptops, he found an entry that concerned him. Each day, his computers were running a program called the“Lenovo Customer Feedback Program 64”.

The identity of the makers of this program is obvious. Its author was “Lenovo”, and the accompanying description said: “This task uploads Customer Feedback Program data to Lenovo”. Actually, it was going to Omniture, the marketing company we mentioned earlier. It’s not totally clear what data they were collecting.

But it is clear they were able to get away with it by burying it in a pages-deep EULA that you almost certainly won’t read. Nobody reads EULAs 10 Ridiculous EULA Clauses That You May Have Already Agreed To 10 Ridiculous EULA Clauses That You May Have Already Agreed To Let’s be honest, no one reads EULA's (End User Licensing Agreement) - we all just scroll down to the bottom and click "I Accept". EULAs are full of confusing legalese to make them incomprehensible to... Read More .

Later in this post, we’re going to talk about how you can remove the Lenovo Customer Feedback Program if you’ve got an affected machine. But first, it’s probably a good idea to start talking about the multiple crimes against privacy Lenovo have committed in the past few months.

SuperFish

Of all of Lenovo’s own-goals over the past month, few were as public and disastrous as the SuperFish debacle of February this year. If you want to read about it in more detail, I suggest you check out Christian Cawley’s reporting of the incident Lenovo Laptop Owners Beware: Your Device May Have Preinstalled Malware Lenovo Laptop Owners Beware: Your Device May Have Preinstalled Malware Chinese computer manufacturer Lenovo has admitted that laptops shipped to stores and consumers in late 2014 had malware preinstalled. Read More , which was excellent.

In short, last year Lenovo shipped a bunch of low-to-mid-end laptops with a piece of software called SuperFish. In Lenovo’s own words, this was to empower consumers to “find and discover products visually”. But really, it was a nasty piece of malware that hijacked users’ web browsers, and inserted their own adverts.

But it did more than that. It injected a self-signed root HTTPS What Is HTTPS & How To Enable Secure Connections Per Default What Is HTTPS & How To Enable Secure Connections Per Default Security concerns are spreading far and wide and have reached the forefront of most everybody's mind. Terms like antivirus or firewall are no longer strange vocabulary and are not only understood, but also used by... Read More certificate, which allowed them to hijack any and all encrypted traffic. HTTPS is what makes online banking and online shopping secure, and SuperFish effectively broke that.

lenovo-superfishcert

Breaking HTTPS also allowed them to inject adverts into secure websites, like Amazon. My colleague Dann Albright wrote an explainer of SSL Hijacking Superfish Hasn't Been Caught Yet: SSL Hijacking Explained Superfish Hasn't Been Caught Yet: SSL Hijacking Explained Lenovo's Superfish malware caused a stir, but the story's not over. Even if you removed the adware from your computer, the same vulnerabilty exists in other online applications. Read More earlier this year. But it also fundamentally undermines your own personal security. What’s worse, it used the same encryption key on each infected machine.

Terrible practice. Terrible security. But believe me, it gets much, much worse.

Unbeatable, BIOS-Based Malware

August this year, it transpired Lenovo had loaded laptops with unwanted malware that couldn’t be removed by wiping your computer.

Let that set in for a second. If you replaced your hard drive and re-installed Windows, you’d still be stuck with it. Your only option would be to either return the laptop to the manufacturer, or install an alternative OS like Linux or BSD.

This malware was hidden in the laptop’s firmware, and abused the anti-theft feature in Windows 8 and 10. Whenever the laptop booted up, the executable would be extracted from the firmware at boot-up and installed. Because it was in the firmware, it was persistent.

lenovo-firmware

Lenovo used this to force the OneKey Optimizer on consumers. This, as Ars Technica pointed out, does some useful system maintenance like update system drivers. But it also does some task of questionable value, like performance “optimizations” and cleaning “system junk files”.

It didn’t help that the OneKey Optimizer is filled with security issues. There are buffer overflows and insecure network connections galore. It’s certainly not something you’d install of your own volition.

Lenovo have stopped shipping laptops with the dodgy firmware, and have issued replacement firmware for affected laptops.

As you can see, Lenovo is a bit of a recidivist in when it comes to disrespecting their customer’s privacy. But how do you deal with the current Lenovo screw-up-du-jour?

How To Fix It

Knowing is the first battle. If your laptop is a ThinkStation, ThinkCenter, or a ThinkPad, you’re potentially infected. First, grab a copy of TaskSchedulerView, and have a look to see if there’s “Lenovo Customer Feedback Program 64” running.

If it’s there, bad luck. Lenovo has been spying on you. That said, you’ve got a few options:

  • Manually remove it from the control panel. Here, it’s listed in Programs and Features. Click Uninstall, and follow the dialogs until you’re done.
  • After 90 days, the malware will ultimately delete itself. Although, I wouldn’t recommend you wait that long, as who knows what it’s phoning home with.
  • You can take control, and replace Windows with GNU/Linux. I recommend Ubuntu Ubuntu: A Beginner's Guide Ubuntu: A Beginner's Guide Curious about Ubuntu, but not sure where to start? Start here: "Ubuntu: An Absolute Beginner's Guide" will teach you everything you need to know about Ubuntu in easy-to-understand language. Read More as an all-purpose desktop OS.

Please Stop Buying Lenovo Products

Lenovo haven’t learned their lessons. They don’t respect their customers. They don’t respect your privacy or security. You shouldn’t buy their products.

Moreover, it shows a blatant lack of respect for their users. If you buy a laptop (and remember, ThinkPads are expensive), you should expect the business relationship to end once you’ve taken ownership of it, except for when it comes to warranties and support. You certainly shouldn’t expect your laptop manufacturer to actively surveil you for their own benefit.

So, please. Once again. Stop buying Lenovo products. It’s the only way they’ll learn.

If you’ve got this piece of badware installed on your computer, or you’d like to recommend an alternative PC manufacturer to Lenovo, I want to hear about it. Leave me a comment below and we’ll chat.

Photo Credit: Chip on Motherboard by VedMe85 (Via Shutterstock)

Leave a Reply

Your email address will not be published. Required fields are marked *