It’s happened again. Like a dodgy employee with their hand caught in the till and given one last chance, Chinese computer and smartphone manufacturer Lenovo has been pushing flawed bloatware on its users.
Just 12 months after Superfish threatened to undermine the company’s reputation, this latest incident demonstrates one very clear point: Lenovo PCs are bad for your online security. Let’s look at why the time has come to start looking elsewhere for affordable computers.
The Success of Lenovo
Before we do that, however, now is a good time to give Lenovo some credit. After buying IBM’s computer business in 2005, it became the largest smartphone manufacturer in mainland China by 2014. Not bad for a company only formed 30 years earlier, and in the past few years they’ve bought up Medion and Motorola Mobility from Google.
In that same period, Lenovo has managed to establish a market share of over 10 percent in the USA. This is a company that has become increasingly popular with consumers, partly due to its innovative hybrid PCs and partly because their devices are more affordable than competitors, like HP.
Now in a strong position, Lenovo has taken its customers for granted.
1. Lenovo Service Engine
Appearing on devices that shipped from October 2014 to June 2015, the Lenovo Service Engine supposedly sent non-identifiable system information from your PC to Lenovo, the first time your computer goes online. Meanwhile, the Lenovo OneKey Optimizer bloatware would be installed on laptops.
Worse still, these same behaviors would occur following a clean install – thanks to a Windows 8 feature called Windows Platform Binary Table – which stores executables within the UEFI firmware. It turned out, however, that Lenovo Service Engine had various security issues, and as a result, didn’t meet the guidelines for WPBT inclusion – which is intended for anti-theft software.
Lenovo Service Engine has since been discontinued, and Lenovo has issued instructions for its removal.
2. Lenovo and the Superfish Malware
In early 2015, it was discovered that Lenovo laptops shipped to stores and consumers in late 2014 had malware preinstalled. Masquerading as a piece of typical manufacturer bloatware, Superfish Visual Discovery was a browser extension that analyzed images, checked if they were products, and then displayed cheaper alternatives. Sounds useful, but…
“The Superfish Visual Discovery engine analyzes an image 100% algorithmically, providing similar and near identical images in real time without the need for text tags or human intervention. When a user is interested in a product, Superfish will search instantly among more than 70,000 stores to find similar items and compare prices so the user can make the best decision on product and price.”
Here’s a more in-depth explainer and discussion:
Yes. Superfish hijacked browsers. Worse still, it installed a self-signed HTTPS certificate, which makes HTTPS connections as weak as HTTP, enabling Superfish to intercept your Internet traffic. This is known as a Man-in-the-Middle attack, a key attack vector in online crime. Oh, and to make matters worse, the HTTPS certificates had the same private encryption key on every single affected Lenovo computer!
3. Lenovo’s Customer Feedback Program
Previous security issues had been targeted at lower-and-mid-range computers and smartphones. In September 2015, however, it became apparent that the high-end ThinkPads, ThinkCenters and ThinkStations — built and promoted as alternatives to Apple computers — were being sold with preinstalled malware, the Lenovo Customer Feedback Program, that forwards personal usage data to Omniture on a daily basis.
Omni-who? Omniture is an online marketing and web analytics company, currently owned by Adobe. Following Lenovo Service Engine and Superfish, Lenovo Customer Feedback Program seems like blatant opportunism. Fortunately, Lenovo Customer Feedback can be uninstalled.
4. Lenovo Solution Center
In May 2016, we discovered that Lenovo has failed to learn from its earlier THREE mistakes. This latest issue is with the Lenovo Solution Center, a piece of bloatware that causes more problems than it solves.
Despite being largely useless already, we now learn that it includes a privilege escalation vulnerability that allows attackers with access to a device on your network to execute malicious code. While your home network might be secured, there’s a good chance that the public Wi-Fi you use isn’t.
What this means is that the Lenovo Solution Center can be used to subvert your entire system, and potentially a whole network. Embarrassingly for Lenovo, this isn’t the first time LSC has had problems, and it has now been patched twice in six months. Back in December 2015, hacking group Slipstream/RoL demonstrated several vulnerabilities, including one that could direct users to malicious websites (blocking the usual methods of checking).
While Lenovo has released steps for dealing with the privilege escalation issue, the safest option is clearly to uninstall the Lenovo Solution Center, as you would uninstall any Windows software.
Lenovo: Not the Computer You’re Looking For
One might argue that these issues can be dealt with relatively easily. The fact is, they shouldn’t be there in the first place. Oh, and Lenovo has bigger problems than malicious software. Various models of laptops have run into manufacturing issues over the past few years (often surrounding the all-important hinge mechanism, as this forum thread demonstrates), which makes you wonder whether the initial low-cost of their systems is really the advantage it at first seems.
It’s been speculated that the various security breaches have been prompted by Lenovo’s desire to monetize their user base, enabling after sale profits that “top-up” the initial sale price. Whatever the reason, the naked truth is that Lenovo computer users have been placed repeatedly at risk from security issues, and until the company deals with this, it’s time to look elsewhere.
For more help avoiding potential security breaches, check out tips for data handling at work.