It just keeps happening. Over the years, Chinese computer and smartphone manufacturer Lenovo has been caught pushing bad software on its users. It's not just bad: it's flawed. Whether drivers, workarounds, or bloatware, Lenovo has a terrible record for protecting its users.

Repeatedly, the point is underlined: if you value security and privacy, Lenovo PCs and laptops are not safe. Let's look at why the time has come to start looking elsewhere for affordable computers.

Lenovo Computers: Safe or Not?

Before we do that, however, now is a good time to give Lenovo some credit. After buying IBM's computer business in 2005, it became the largest smartphone manufacturer in mainland China by 2014. Not bad for a company only formed 30 years earlier.

In that same period, Lenovo has managed to establish a market share of over 10 percent in the USA. This is a company that has become increasingly popular with consumers. Laptops, innovative hybrid PCs, and affordability all underline Lenovo's brand.

But since establishing its market leading position, Lenovo has taken its customers for granted.

1. Lenovo Service Engine

Lenovo vulnerabilities hit UEFI

Appearing on devices that shipped from October 2014 to June 2015, the Lenovo Service Engine supposedly sent non-identifiable system information from your PC to Lenovo, the first time your computer goes online. Meanwhile, the Lenovo OneKey Optimizer bloatware would be installed on laptops.

Worse still, these same behaviors would occur following a clean install---thanks to a Windows 8 feature called Windows Platform Binary Table---which stores executables within the UEFI firmware. It turned out, however, that Lenovo Service Engine had various security issues, and as a result, didn't meet the guidelines for WPBT inclusion , intended for anti-theft software.

Lenovo Service Engine has since been discontinued, and Lenovo has issued instructions for its removal.

2. Lenovo and the Superfish Malware

In early 2015, it was discovered that Lenovo laptops shipped to stores and consumers in late 2014 had malware preinstalled. Masquerading as a piece of typical manufacturer bloatware, Superfish Visual Discovery was a browser extension that analyzed images, checked if they were products, and then displayed cheaper alternatives. Sounds useful, but…

“The Superfish Visual Discovery engine analyzes an image 100% algorithmically, providing similar and near identical images in real time without the need for text tags or human intervention. When a user is interested in a product, Superfish will search instantly among more than 70,000 stores to find similar items and compare prices so the user can make the best decision on product and price.”

Here's a more in-depth explainer and discussion:

So, Superfish hijacked browsers and installed a self-signed HTTPS certificate, making HTTPS connections as weak as HTTP. This enabled Superfish to intercept internet traffic.

Most worryingly, this is known as a Man-in-the-Middle attack, a key attack vector in online crime. Oh, and to make matters worse, the HTTPS certificates had the same private encryption key on every single affected Lenovo computer!

3. Lenovo's Customer Feedback Program

Lenovo ThinkPads have been affected by security issues

Previous security issues had hit lower-and-mid-range computers and smartphones. In September 2015, however, it became apparent that the high-end ThinkPads, ThinkCenters and ThinkStations were being sold with preinstalled malware.

Known as the Lenovo Customer Feedback Program, the tool forwarded daily personal usage data to Omniture.

Omni-who? Omniture is an online marketing and web analytics company, owned by Adobe since 2009. Following Lenovo Service Engine and Superfish, Lenovo Customer Feedback Program seems like blatant opportunism. Fortunately, Lenovo Customer Feedback can be uninstalled.

4. Lenovo Solution Center Allows Malicious Code Execution

In May 2016 it transpired that the Lenovo Solution Center bloatware featured another key vulnerability.

This privilege escalation vulnerability allowed attackers with access to a device on your network to execute malicious code. While your home network might be secured, there's a good chance that the public Wi-Fi you use isn't.

Consequently, the Lenovo Solution Center could have been used to subvert your entire system, and potentially a whole network.

5. Lenovo Solution Center and Malicious Websites

Embarrassingly for Lenovo, the LSC has had previous problems.

For example, in December 2015, hacking group Slipstream/RoL demonstrated several vulnerabilities in the tool. One of these could direct users to malicious websites (blocking the usual methods of checking).

While Lenovo has released steps for dealing with the privilege escalation issue, the safest option is clearly to uninstall the Lenovo Solution Center.

6. Privacy Escalation Vulnerability in Lenovo Solution Center

Still using the Lenovo Solution Center? Stop! In 2018, PenTestPartners uncovered privilege escalation vulnerability in the LSC, specifically a DACL (discretionary access control list) overwrite.

In short, this allows a low-privileged user to take control of files limited to high-privileged users. PenTestPartners subsequently shared this information with Lenovo, who informed the security researchers that the LSC was past its "end of life," claiming it was ended in April 2018. However, PenTestParters provided evidence that Lenovo listed the latest version of LSC as 15th October 2018.

Lenovo's conduct around this issue is sketchy to say the least.

7. BSOD Workaround Violates Windows 10 Security

windows stop code bsod screen

Lenovo's security issues are not a thing of the past. Despite hopes that they might improve, practices remain questionable.

Following the August update KB566782 for Windows 10 version 2004, Lenovo users found regular Blue Screens of Death (BSOD) on newer Lenovo ThinkPad models. The bug also broke the Windows Hello biometric login.

Lenovo's response to users was to offer a workaround. All good, you might think---except this fix disabled the Enhanced Windows Biometric Security settings. Hardly the solution a reputable PC manufacturer should be offering.

Lenovo's Security Issues Mean You Should Avoid Its Computers

While Lenovo's issues can be dealt with relatively easily, the fact is, they shouldn't be there in the first place.

It's been speculated that the various security breaches have been prompted by Lenovo's desire to monetize their user base. After all, such low prices need to be topped up somehow. Whatever the reason, Lenovo computer users have been placed repeatedly at risk from security issues over the years.

Until Lenovo addresses its security issues, it's time to look elsewhere.