back to article Western spooks banned Lenovo PCs after finding back doors

Chinese PC giant Lenovo has been banned from supplying kit for the top secret networks of western intelligence agencies after security concerns emerged when backdoor vulnerabilities were detected, according to a new report. Unnamed intelligence and defence “sources” in the UK and Australia confirmed to the Australian Financial …

COMMENTS

This topic is closed for new posts.
  1. Arthur 1

    Hrm

    This doesn't really make a lot of sense on face value. If there was widespread backdooring on these machines, which are everywhere, you'd think any of the multitude of excellent private security firms who work on this stuff would have found something by now. Beyond that, you'd think that the NSA et al would at least try to steer other branches of the government subtly away from Lenovo kit, when in fact it's pretty actively promoted in the public sector as a reliable choice.

    So no matter how you slice it, it sounds like this couldn't have been both widespread on ongoing. Either it was limited to a certain run early on and has been shelved as a bad idea, but the NSA just doesn't want to run a risk of recurrence no matter how small; or, alternatively, it could be that bugged Lenovo machines were part of a specific operation against the NSA and there is and never was such a program at Lenovo in general distribution. It's even possible the malware was added somewhere between it leaving the Lenovo general assembly line and being on the test bench in the USA.

    Either way, given all of that (which admittedly includes some assumptions, but I think reasonable ones) I'm even more confused about the point of this announcement.

    1. Destroy All Monsters Silver badge
      Big Brother

      Re: Hrm

      Not only that but the must have backdoored it rather quickly after the change of boardroom keys occurred.

      It could well be just a bug in the implementation of the baseboard management controller (if there is such a thing) the finding of which is now being leaked for ...err... "commercial" reasons.

      Yeah, who leaks it? Who are these "sources"? Why now?

    2. Anonymous Coward
      Anonymous Coward

      Re: Hrm

      Not so. The private sector companies would need to:

      * Be looking for the vulnerability;

      * Know where to look for the vulnerability, and most importantly;

      * Be in possession of equipment that actually has the vulnerability

      Lenovo control the whole supply chain for their PCs; when a machine is shipped to a government customer, they can decide which individual machine is going to that customer, and therefore which machine needs "modification" either by themselves or the Chinese intelligence services.

    3. This post has been deleted by its author

    4. Antonymous Coward
      Black Helicopters

      Re: Hrm

      I'm inclined to think the coincidence is simply a matter of control. When it was IBM churning out backdoored(?) kit under the watchful eye of the US's NSA all was tickety-boo. However, as soon as the keys changed hands and Lenovo found itself churning out the same kit, right down to the same backdoors(?), but now under the watchful eye of China's PLA, there's suddenly a problem. Well, a quiet concern for the "five eyes" anyway. Not something they'd want to go making a fuss about... not then anyway... don't suppose it'd be much of a secret from anyone now though.

      When was it that Intel introduced its vPro/AMT remote exploitation management orifice? "Mid-2000s" ish? I think I saw somewhere that it's illegal in Russia and China? Not that there could be any connection. Of course.

      1. David Pollard

        Re: Hrm

        Doesn't vPro/AMT need an appropriate chipset, to enable access to the network/wifi and to turn the power on etc.?

        It seems more likely that the reason for rejection of Lenovo was that they didn't include Intel's 'management' options while American manufacturers did.

        1. Arthur 1

          Re: Hrm

          AMT runs on an entirely separate processor, with its own RAM and other resources. It's not even an x86 system, I think it's some kind of ARM. So yes, it's a separate machine that can be exploited.

          If the concern is really that they prefer to get laptops which don't have management technology in them because of a potential danger, then this is fairly disingenuous. Especially considering that said technology is made by an American firm and really has nothing to do with Lenovo.

          1. Antonymous Coward
            Black Helicopters

            Re: Hrm

            Dave, I think as Arthur has it about right; AMT is the chipset!

            I'd agree with disingenuous but I doubt it'd be a matter of avoiding/defaming the mechanism entirely. Quite the converse. Just a matter of the five quietly wanting to be careful about who has their backdoor keys.

    5. Tom 13

      Re: Hrm

      You know that FISA court you've been bitching about for the last couple of weeks? If the NSA found it, they probably did tell all the commercial security vendors. Along with an NDA issued under the auspices of that same court. So they'd know. You and me? Not so much.

    6. Anonymous Coward
      Anonymous Coward

      Re: Hrm

      Can't imagine the NSA would approve of a well hidden backdoor that only they and the manufacturer knew about, no Sirree Bob, can't think of any reason at all for that.

  2. Sorry that handle is already taken. Silver badge

    What

    And the kit manufactured in the US and UK isn't backdoored?

    1. Anonymous Coward
      Anonymous Coward

      Re: What

      As someone who has worked in a company which manufactured network kit in the UK I can say - no, it was not backdoored. The export regulations made that unnesessary.

      By the way, I personally spec'ed the whole security subsystem and access control to it. I also implemented key parts at the time. So I actually know what went it.

      At least that was the case a decade ago. Dunno how it is now. It seems that half of the world has swallowed Stazi and is marrily replicating what Putin did to the Russian telecoms systems after he came to power.

    2. WatAWorld
      Unhappy

      Re: What

      Apparently the kit manufactured in the US and UK is backdoored by our lords and masters, so that's all right then.

      1. Andy Roid McUser
        Joke

        Re: What

        The UK manufactures stuff ?? I thought we outsourced all that a long time ago.

        1. Anonymous Coward
          Anonymous Coward

          Re: What

          Please don't perpetuate the myths; talk our country UP not down and you may find it a happier place.

          Last I looked we were the fifth largest manufacturers in the world which, given a population of less than 70 million, is pretty darn good.

          (Not as good as the Empire days, but they weren't exactly a good baseline given the power structures in place).

    3. Ossi
      Facepalm

      Re: What

      The amazingly predictable 'yes, but we're just as guilty' answer. Otherwise known as 'two wrongs make a right'. If you think what they're (allegedly) doing is wrong, then backdooring is wrong, full stop. Ergo, Lenovo's (alleged) behaviour is wrong.

      In fact, the story is a practical, not a moral one. The security services won't use their equipment because they think they're risky. That's their prerogative. They're not claiming the moral high ground. The Chinese are equally at liberty not to use Western stuff. You can put your moral outrage away now.

    4. jason 7
      Big Brother

      Re: What

      I wonder if kit made before a certain time would be less prone to having backdoors etc. ?

      Could it be we will be going crazy on Ebay buying up all those 'secure' backdoor free single core laptops from 2003?

      You know before Govts realised the internet was worth looking at.

    5. mIRCat
      Facepalm

      Re: What

      "And the kit manufactured in the US and UK isn't backdoored? "

      Not my Raspberry Pi? Say it's not so!

  3. Anonymous Coward
    Anonymous Coward

    Since it matches the acquisition date from IBM, you would have to assume that IBM put the backdoors in, and the security services were well aware of them.

    The only thing changing when Lenovo acquired it, was that the Chinese would be in a position to find out about them, and how to use them.

  4. Christian Berger

    That's why we need free systems

    We finally need to come to a point where systems are as transparent as possible. For example we could go the OpenFirmware approach and compile the firmware at boot-time.

    Adding a complex system like EFI will just increase the chance of a backdoor slipping in undetected. It's much easier to hide something in 30 Megabytes of code than in 100k. And since EFI supports things like "secure" boot, you cannot even go the minimalists approach by run throwing out everything you don't want.

    1. Sandtitz Silver badge
      Facepalm

      Re: That's why we need free systems

      You would also have to build the CPU and all other hardware by yourself just to be sure.

      And how can you know the compiler isn't infected? Don't say you compiled the compiler by yourself...

      Also, compiling a firmware at boot sounds very tin-hattery.

      1. Anonymous Coward
        Anonymous Coward

        Re: That's why we need free systems

        And we'd have to presume that every department in every business in the world has a specialist reading the code, just in case it hasn't been modified at some point.

        Open source is open, but doesn't mean everyone is checking everything, all the time. If this were the case there would never be any bugs or security holes. In fact because it's open, people presume someone else must of checked every line of code.

        1. Paul Crawford Silver badge

          Re: That's why we need free systems

          Having open source BIOS & OS is the least-worst option from a security point of view, more so if you are not from the USA. To recap the recent revelations and discussions:

          MS (thus Windows) is partner in PRISM and as a USA-based company hence under the jurisdiction of the PATRIOT act, thus almost certainly compromised (remember the _NSAKEY business around 2000?). No open code reviews or ability to compile and check updates etc, to suggest otherwise.

          Apple (thus MacOS and iOS) also in PRISM and under PATRIOT act, thus and almost certainly compromised. As for MS, nothing to suggest otherwise.

          Open source (e.g Linux) has lots of contributors (including MS, NSA, etc) so possibly compromised, but under not under PATRIOT act for code, etc, as not under any one USA company. Code open to review but no doubt not everything checked, or apt-get updates verified, etc.

          Can you absolutely trust any of them? No.

          If you are not in the USA which is the least-worst then? Open source.

      2. Flocke Kroes Silver badge

        Tin foil hats for all

        The build process for gcc does not trust the installed compiler. It uses the installed compiler to compile an intermediate compiler that is used to compile the final complier. It also checks that the intermediate compiler creates the same output as the final compiler by compiling the compiler again with the final compiler. A back door that can survive that should have a big foot print.

        You do not compile the firmware at boot. You replace the firmware so you have (some) confidence that you control the boot process. The coreboot project (http://www.coreboot.org/Welcome_to_coreboot) provides a replacement for the BIOS that is no more hassle to install than any other embedded software project. The down sides are supported hardware tends to be old, and effective TPM hardware can spot you are not using manufacturer approved firmware, and refuse to boot.

        If I deserve a tin foil hat for liking coreboot, then you deserve one if you cannot show us a back door in gcc: http://gcc.gnu.org/releases.html

      3. Christian Berger

        Re: That's why we need free systems

        "You would also have to build the CPU and all other hardware by yourself just to be sure."

        Yes, but you'd already greatly limit the attack surface. It's about having to trust fewer things, fewer lines of code, etc, and making backdoors more obvious.

        "Also, compiling a firmware at boot sounds very tin-hattery."

        Actually the idea why OpenFirmware does that is so that you can use hardware independently of your CPU platform. So imagine you have a SCSI controller with an OpenFirmware extension ROM. You just pop it in, and it doesn't matter what sort of CPU you have, it'll just work for the bootloader. The PC-BIOS solution requires you to have an x86 CPU (in real mode).

  5. Anonymous Coward
    Anonymous Coward

    Unnamed intelligence and defence backdoor sources?

    "Chinese PC giant Lenovo has been banned from supplying kit for the top secret networks of western intelligence agencies after security concerns emerged when backdoor vulnerabilities were detected .. Unnamed intelligence and defence “sources” in the UK and Australia confirmed ..

    Have these unnamed intelligence and defence sources found the backdoor the NSA inserted into the unnamed Operating System.

    'Professor Farinaz ­Koushanfar .. said the NSA was “incredibly concerned about state-sponsored malicious circuitry”.`

    They why has the NSA installed such 'malicious circuitry' in the first place, which dilutes security and can be accessed by a third party?

    1. Kingston Black
      Big Brother

      Re: Unnamed intelligence and defence backdoor sources?

      Do I smell FUD from the western spooks? Have they re-started trying to make out the Chinese are worse than them again? Pot, see kettle.

      Unless of course, they are preparing the ground, fearing more revelations? From the resident of Moscow airport perhaps? Why do they have such enormous, disproportionate(?) downer on him? I'm beginning to wonder who is running scared here; is it us (the people) or them (The Establishment)?

      So many questions, no answers, must go and buy some more tinfoil.

      1. WatAWorld

        Re: Unnamed intelligence and defence backdoor sources?

        Sadly there may be neither enough tin foil, nor enough tin ore, in the world to meet the needs of the IT community.

        Three months ago I'd have called someone a nut for saying 20% what we now know to be true.

  6. John Smith 19 Gold badge
    Big Brother

    You are an intelligence agency. You find a backdoor. a)Tell the world b) Keep it to yourself?

    Can any mfg at any level be trusted?

    Now what if it got out that Intel has installed another "debugging" mode in it's processors at US Govt demand?

    1. Mystic Megabyte
      Headmaster

      Re: You are an intelligence agency. You find a backdoor. a)Tell the world b) Keep it to yourself?

      >>Now what if it got out that Intel has installed another "debugging" mode in it's processors at US Govt demand?

      That's probably what the so far unexplained part of Stuxnet is for.

    2. Paul Crawford Silver badge

      Re: You are an intelligence agency. You find a backdoor. a)Tell the world b) Keep it to yourself?

      You don't need any secret 'debugging' mode when you have the System Management Mode interrupt that can't be blocked (above NMI priority!) and can run anything the BIOS demands, making it the vector for the perfect rootkit.

  7. Wang N Staines

    Suicidal

    For companies to put back doors in their products in the age of Twitter is suicidal.

    I suspect those back doors belong to the component manufacturers, Lenovo just integrated into their products. The agencies are being quiet which components had/have back doors in them.

    I wouldn't surprise if Intel and mates put back doors in for themselves and Lenovo was just exploiting them.

  8. keithpeter Silver badge
    Windows

    what are they using then?

    OK, what client computers are the 'five eyes' using then?

    Any ideas?

    The tramp: safety and privacy in your local coach station foyer.

    1. Anonymous Coward
      Anonymous Coward

      Re: what are they using then?

      the NSA/DIA operatives (OK, "Consultants" on the NSA Standards Technical Committee) that I've met tend to use Win7 on small (not ultra) Sony laptops (stuff like Sony Vaio VPCY21EFX or similar)

      These could well be the 'throw away when you get back home' type computers, but they looked well used & loved. Of course, Sony would 'never' rootkit anything….

  9. Anonymous Coward 101

    Aye Right

    "There is also widespread suspicion in the West that even non-state owned businesses have close ties with Beijing through the ubiquitous Communist Party committees which operate within them."

    I sympathise with the western intelligence agencies. It must have been conceptually almost beyond them that a non-state owned company could have close ties with the government. Such a thing has never occurred in the West.

  10. Anonymous Coward
    Anonymous Coward

    Backdoors hackers could expose? Like a popular operating system?

  11. WatAWorld

    If backdoors and vulnerabilities are unacceptable then there is only one logical conclusion

    Initially I was going to ask, "How could they tell the Levono backdoors that perhaps the Chinese installed from the Microsoft backdoors that perhaps the NSA installed?"

    But now that I think about it, they could tell -- but only if they had enumerated (counted and labeled) all the existing backdoors and vulnerabilities in Windows.

    Which the NSA could only do if it knew about all the backdoors and vulnerabilities that were already there in Windows. I'm not saying they added them, but they could have counted the ones that got in.

    And that might explain why governments don't use Linux or OS/x to avoid Windows vulnerabilities -- they know all the Windows vulnerabilities.

    I don't know. I had always figured banks and governments avoided OS/x and Linux on desktops for the same reason, Windows had faced far more probing by hackers and was thus much more tested. Could the NSA have found and counted all the many vulnerabilities in each version of Windows when it came out?

    Maybe this is just a nationalist phobia of foreign companies on the part of the NSA, not related to backdoors and vulnerabilities.

    Or maybe the NSA knows what we should all know -- you cannot trust a government with control over the production of your hardware, software or services -- certainly not a foreign government (like a US government for those of us not in the US) and maybe not even your own government.

    "He who looks behind the door hath hid there once himself" -- Old Belgium proverb

    1. Anonymous Coward
      Anonymous Coward

      Re: If backdoors and vulnerabilities are unacceptable then there is only one logical conclusion

      Having friends who work in the ATM/banking industry it seems the reasons are much simpler and need no tin-foil hats - the PHB liked Windows and went for that when OS/2 etc was clearly dying.

      Very little thought went in to how secure the OS is, because largely it was assumed that all ATMs would be on private networks so not at the same risk as Joe Public's PC.

      Having a large company behind Windows and (until Win8) a relatively stable and common user interface made it more attractive to the conservative world of banking, compared to Linux where they can't agree on anything for more than 6 months or so before starting yet another not-quite-functioning network manager GUI, etc. (however those with a more technical background prefer the openness of Linux and ability to do what you want with it).

    2. Wang N Staines

      Re: If backdoors and vulnerabilities are unacceptable then there is only one logical conclusion

      I suspect these back doors were put there by Intel and Microsoft, but Lenovo subverted them for their uses.

    3. Anonymous Coward
      Anonymous Coward

      Re: If backdoors and vulnerabilities are unacceptable then there is only one logical conclusion

      Oh I just thought, if all Lenovo did initially was just press the stuff IBM was already pressing, then I'd not be surprised if the backdoors they found were in fact US in origin.

  12. This post has been deleted by its author

  13. Joey

    Personally, I am more worried about the fact that there is a Chinese takaway in every town in the country!

  14. Otto is a bear.

    Hang on.

    I don't know about commercial security companies finding back door exploits, but criminal hackers seem to be very good at finding them, and the back doors would need at the very least to have some kind of software and processing support to access a network, or load a trojan.

    To actually report something back to whoever, would require the generation of network traffic, which would have to be dial home, no query mechanism would get through a properly setup network firewall.

    Secure laptops tend to have encrypted disks, which de-encrypt at an OS level, so only the keyboard and display sub-systems would be vulnerable. An OS hack is fare more useful.

    Once you start transmitting data via your back door, network security devices will notice it as it passes through a whole variety of checks. This would catch both Hardware and Software back doors. They only people really at risk are users who don't have defence in depth security, and probably not even that deep.

    This story is a bit silly season though, isn't it, it's hardly a secret that secure organisations tend not to use much purely Chinese made kit, if they can help it. Any kit that is used, Chinese or not, has to pass a whole set of continuous tests to show that it isn't a threat. Funnily enough it was a Five eye ally who was first caught trying to do this to the DoD, and that was discovered by standard security processes at the supply level.

    1. David Pollard

      Re: Hang on.

      Given that network security would recognise when the backdoor 'phoned home, wouldn't this be just what the spooks want? Having discovered how the monitoring works they could then be selective and arrange to send all manner of disinformation down the link.

      Isn't that what much of spying is about, telling fibs and seeing who can get away with telling the most monstrous ones?

  15. alf_s

    Relflections On IT Insecurity

    If this

    http://www.infoworld.com/d/security/in-his-own-words-confessions-of-cyber-warrior-222266

    is true (which I consider entirely plausible based on my knowledge of C, C++ and the US "defense" attitude), then the entire device from CPU to OS to Office program needs to be distrusted.

    So:

    + cut the WLAN antenna physically, it might turn on when you don't want it

    + connect to other networks via a RaspberryPI router to your corporate/org firewall

    + inspect all traffic heavily and diligently at the firewall

    + blacklist all the "social" crap from gmail to f-book - intransparent traffic you cannot properly inspec

    + encrypt in the RaspPI as you cannot possibly trust the craptop. End-to-end crypto has drawbacks

    Of course that implies

    -you trust the RaspPI hardware

    -you trust the RaspPI VPN software

    But that is a much smaller endeavour than just verifiying the Intel guys of this globe (some of them are NOT located in USA, but in that belligerent country) did not fuck up the CPU.

  16. ecofeco Silver badge
    Trollface

    Ah the irony

    Carry on.

  17. James Anderson

    call me paranoid but

    Given the timing I.e almost immediately after the sale of IBMs pc division, isn't it more likely that these were NSA sponsored back doors that IBM inadvertently gave away with the sale to lenovo.

This topic is closed for new posts.

Other stories you might like