back to article CAUGHT: Lenovo crams unremovable crapware into Windows laptops – by hiding it in the BIOS

Lenovo has sold laptops bundled with unremovable software that features a bonus exploitable security vulnerability. If the crapware is deleted, or the hard drive wiped and Windows reinstalled from scratch, the laptop's firmware will quietly and automatically reinstall Lenovo's software on the next boot-up. Built into the …

Silver badge

When is a BIOS not a BIOS?

When if it root-kitting you machine obviously.

But the more serious question is why are open/replicable BIOS not more widely demanded? Are our gov departments happy to buy mass-market PCs with such crap-ware (or even foreign spyware) pre-installed? If not, what are they doing about it? When do we start to see contracts for gov PCs that demand open source BIOS without any shit-ware installed? Only then will there be enough of a commercial pressure for suppliers to make enough details available for reliable 3rd party BIOS to be used.

66
3

Re: When is a BIOS not a BIOS?

What you're looking for is called "coreboot". It is open source, it's GPL so vendors can't add some proprietary "extra sauce" without releasing the source (and therefore letting us know what they did), and it does the minimum necessary to boot the OS and then gets out of the way. If you just want to run Linux, then it can boot GRUB 2 directly without any BIOS or EFI, which will then boot your Linux distro. If you want to run an "other OS", then you can use a BIOS (Seabios) or EFI (TianoCore) equivalent, and then boot the OS via that mechanism.

Ironically, the Coreboot web site says that it works on at least 10 models of Lenovo laptop and it ships as the standard firmware on a Lenovo Chromebook.

I'm not a big fan of large complex firmware systems in PCs. Large complex software systems will inevitably have bugs and security holes, and PC hardware vendors are poorly placed to deal with them. I would rather they just booted the OS with a minimum of fuss and let it get on with things. The OS vendors at least are used to dealing with security problems and have established procedures and update channels.

40
1
Silver badge

Re: When is a BIOS not a BIOS?

Presumably GCHQ already have a custom version of this...

We need a WPBT table viewer - anyone?

22
1
Silver badge

Re: When is a BIOS not a BIOS?

That would require someone in Government who even understands what the problem is... no hope in UK then.... they are just a bunch of ignorant oldies who's kids use the internet... and who themselves think that IT is something to do with Candy Crush (played on ipads during work time).

6
16
Silver badge
Devil

Googles "Don't be evil" motto

Who did they have in mind when they coined this, again?

1
1
Anonymous Coward

Re: When is a BIOS not a BIOS?

Thank god for "secure[sic] boot"

9
0
Silver badge

@thames Re: When is a BIOS not a BIOS?

"It is open source, it's GPL so vendors can't add some proprietary "extra sauce" without releasing the source ..."

In an ideal world, that is true. We live in a less than ideal one though. Nowadays I'd only feel 'safe' if I could strip and analyse it myself or rely on a trusted review by an independent organisation.

6
3
Silver badge

Re: When is a BIOS not a BIOS?

"We need a WPBT table viewer - anyone?"

http://rweverything.com/download/

i use the above to get the win 8 key from the bios, but it has lots of other features. i dont know if it does what you want, but try it and see....i dont have a win 8 laptop at the mo to check...

4
0
Silver badge

Re: When is a BIOS not a BIOS?

That would require someone in Government who even understands what the problem is... no hope in UK then.... they are just a bunch of ignorant oldies who's kids use the internet... and who themselves think that IT is something to do with Candy Crush (played on ipads during work time).

And the Police are all stupid.....

Generalising like that is incredibly dangerous, as it leads to deliberately underestimating a potential enemy/adversary. Yes, there are a lot of people in Politics and the Civil service that don't understand computers, just as the private sector is full of the same types of people, but working on the assumption that there's noone who understands is a bad idea.

You can be reasonably sure that the types employed by GCHQ do understand this, and the potential risks/benefits it presents (depending on what your aim is...), and if CESG or similar make a recommendation against using such kit, most departments will likely (at least half) bear that in mind.

10
0
Anonymous Coward

http://rweverything.com/download/

Ahh.

True this is about as safe a fully loaded MAC 10 in the hands of a school kid, or a C++ compiler in the hands of CS undergrad, but I quite like the option to cause unlimited mayhem.

Thumbs up.

2
0
Silver badge

Re: http://rweverything.com/download/

enjoy! i only use it in read mode....

1
0
Anonymous Coward

Re: When is a BIOS not a BIOS?

"http://rweverything.com/download/

i use the above to get the win 8 key from the bios, but it has lots of other features. i dont know if it does what you want, but try it and see....i dont have a win 8 laptop at the mo to check..."

Arrgghhh!!!

Friggin Bit9... I'm in IT. It's like they don't trust us...

Bastards.

1
0
Silver badge

Re: When is a BIOS not a BIOS?

you could put a new hard disk in it and build win 8, then use it...

all the data you are after is in the bios after all....

1
0
Silver badge
Pint

"Is it safe? Is it safe? Is it safe?"

"Security (theater) Software" is dead.

The game has moved into the 'hardware', which is chock-a-block full of other software. Layers and layers and yet more hidden layers.

There is no solution.

2
0

"they are just a bunch of ignorant oldies"

My experience is that it is the oldies in government IT who understand the problems, or at least are suspicious of the possible problems, while the youngsters are too gung ho and enthusiastic about new stuff to even think of the risks.

5
0
Silver badge
Facepalm

It's in China

Lenovo's software also phones home to the Taiwanese giant details of the running system.

Lenovo's commie headquarters is in Beijing. That's mainland Communist China, not the Constitutional Republic of Taiwan.

28
1
(Written by Reg staff) Silver badge

Re: It's in China

"Lenovo's commie headquarters is in Beijing"

Whoops – ok, fixed.

C.

8
1
Silver badge
Thumb Up

Re: It's in China

Whoops – ok, fixed.

Thumbs up for fixing it so fast!

5
1
Silver badge
Facepalm

It's almost like...

...they /want/ to go out of business!

The Lenovo brand is, with me at least, now synonymous with dodgyness and anyone willing using it will be treated with great suspicion (of at least their IT credentials).

34
1
Joke

Re: It's almost like...

Yup, it's on to the next rootkitted adware-laden cheap laptop maker for me.

8
0

Windows only though

No effect if blatted with Linux?

13
1

Re: Windows only though

This is a question. It would be useful to have a definite answer. Does disabling "secure boot", installing Linux from a USB stick and scrubbing M$ remove the Lenovo rootkit?

6
8
Silver badge

Re: Windows only though

Well it'll understand it's not NTFS and not do anything or it'll corrupt the drive. Same for BitLocker partitions too I would have thought.

4
2

Re: Windows only though

@Dr Paul Taylor The rookit code would still be in the BIOS, but without the corresponding rootkit calling code in Microsoft Windows to execute it, it would lay dormant there.

27
0
Silver badge

Re: Windows only though

Replying to my reply, that seems to be true for the Windows 7 autochk.exe method where the file is overwritten by the BIOS.

The Windows 8 and 10 wpbbin.exe method can't be disabled and gets past BitLocker but as it's Windows 8/10 itself which gets the file from the BIOS and runs it. So it seems if you must use Windows 8/10 there's nothing you can do to stop it.

The article seems to say the autochk.exe method and the wpbbin.exe method are part of one rootkit, but the autochk.exe method would be used by the BIOS if Windows 7 is detected and the wpbbin.exe method would be used by Windows 8/10 it checks the BIOS to see if this file is stored in it and if so writes it to the filesystem itself and runs it.

4
0
Silver badge
Linux

Re: Windows only though

"Well it'll understand it's not NTFS and not do anything or it'll corrupt the drive. Same for BitLocker partitions too I would have thought."

Are you sure? Anyway I get enough weird shit happening on my Gentoo powered lappy without holes being punched in /usr/bin by the BIOS.

Funnily enough Lenovo laptops used to the darling of the Linux dev brigade due to the way they had a habit of just working. No more and I'm sure Lenovo's S&M dept are crying into their <whatever_they_drink_there>

13
1
bjr

Re: Windows only though

It can't effect Linux for several reasons, first it's looking for a Windows installation and it won't find one, second it's looking for an NTFS file system, it won't know what to do with EXT4, and finally windows binaries won't run on Linux except under WINE which they won't be using.

12
0

Re: Windows only though

It's a standard MS Windows feature (Microsoft Windows Platform Binary Table) which Lenovo is making use of. The Lenovo software isn't loading itself. It simply sits in flash and lists itself as being available. MS Windows looks to see if it's there, and if so copies it onto the hard drive and executes it. It's an alternative to injecting the software directly into the install image. The documentation isn't clear, but I imagine that it was meant to allow enterprise IT staff to use their own generic Windows install images but still automatically provision the vendor specific stuff.

If you installed Linux (e.g. Ubuntu) then the bits would simply sit there as there is no equivalent feature in Linux. The same obviously applies to BSD. It requires an active effort by the OS to load. The "rootkit" stories are a bit off target, in that it isn't something which is hidden from the OS. Rather it's a standard Windows feature which not many people were aware of.

I would not be surprised if many other PC makers were doing the same thing, especially for their business oriented models. The only thing Lenovo may be doing is using it for more things than Microsoft had originally planned.

Generally though, I think the feature was a bit of a bad idea by Microsoft to begin with. There's no guarantee that the software being loaded from the flash chips will be compatible with future versions of Windows, and there's no obvious provision for updating it when installing the new version of Windows. More than a few people would toss out the PC after scratching their heads for a while and then assuming there was some mysterious hardware incompatibility with Windows.

44
0
Silver badge

Re: Windows only though

It could misunderstand ext4 as it tries to read it as NTFS and corrupt the filesystem if it's badly written.

4
9

Re: Windows only though

It's complimentary to the process that allows you to install windows onto major vendor laptops without a key (the vendor authorization keys are stored in the bios in a similar manner).

Sounds like a well-intentioned feature that wasn't quite thought through properly. Another possible attack vector if you have physical access to the machine, and a really poor use of it by Lenovo.

10
0
Silver badge
Happy

50 shades of fail.

"I'm sure Lenovo's S&M dept are crying into their <whatever_they_drink_there>"

Possibly they have become confused as to what the "S&M" in their dept. name stands for.

17
0
Gimp

Re: 50 shades of fail.

>Possibly they have become confused as to what the "S&M" in their dept. name stands for.

Empirical evidence would suggest they have a pretty firm grip on it

7
0
Stop

Re: Windows only though

You do understand, don't you, that Ubuntu != Linux? In fact, if I were responsible for setting up a corporate system and was told to use Linux, Ubuntu would be one of my last choices, because of the need for regular updates. (Fedora, which I use at home, would be the very last choice because of its rapid-release cycle.) No, I'd take something like CentOS, so that I wouldn't have to worry about updates breaking things. Businesses need stability much, much more than they need to be running bleeding edge software.

8
18
Anonymous Coward

@thames - Re: Windows only though

Nothing is hidden from the OS, with a rootkit stuff is hidden from the end-user.

3
1
Silver badge

Re: Windows only though

Well it'll understand be confused it's not NTFS and not do anything or it'll corrupt the drive. Same for BitLocker partitions too I would have thought.

This is more likely.

0
3
Silver badge

Re: Windows only though

Re: Windows Ubuntu CentOS (apparently) only though

@ Joe Zeff

"Linux (e.g. Ubuntu)".

'e.g' = abbreviation for exempli gratia: a Latin phrase that means "for example".

I doubt you'll find a 'Reg' commentard that doesn't know Linux doesn't necessarily mean Ubuntu.

And as for the O/T rant about updates...?

22
0

Re: Windows only though

I guess the probability s that most people who will buy a windows PC for a Linux install, will probably want to try and dual boot. Certainly this was what i had in mind when I tried to install Linux variants (e.g. Ubuntu) on a some budget Lenovo E50 desktops. No amount of tweak and configuration/boot repair would allow Linux to boot....the UEFI boot order would always revert to Windows boot first, unless I crippled the windows boot altogether.

2
0

Re: Windows only though

"Lenovo's S&M dept"

They have one of those, too? Wow.

(Having read down, I see I'm not the first to spot this. Must stay in more..)

2
0

Re: Windows only though

t could misunderstand ext4 as it tries to read it as NTFS and corrupt the filesystem if it's badly written.

It could. Then your system would fail fsck after every boot (if it managed to boot at all). Then you'd send it back as having a defective hard disk. Then the replacement wouldn't work either. Then you'd demand a refund from your supplier as "goods not fit for purpose".

They *might* try labelling it very clearly as usable with Windows only. At least then you'd know what not to buy. This is assuming that MS would allow use of their trademark in this way. Given their previous history with the EU authorities, I'd advise them against it.

The greater risk would be if it shipped with a BIOS that understood Linux filesystems, and rootkitted them as well. Are we sure that they don't? Maybe it's time to start putting / on an encrypted FS even if you don't want /home to be on one!

3
0

Re: @thames - Windows only though

Nothing is hidden from the OS, with a rootkit stuff is hidden from the end-user.

Not true, if something has write access to the OS kernel copied into RAM before it is invoked. Which is exactly what a BIOS does have. It's even able to subvert the bootloader, which comes before the OS and which is equally capable of subverting any OS it loads.

A simple example with non-malicious intent, would be to intercept disk IO operations and to cause any access above a nice round number to return an error as if the disk were that nice round number in size. This was actually used back in the days when disk manufacturers were playing sillybuggers shipping a 1002Mb drive that was bigger than a 1000Mb drive so if you bought a manufacturer X disk and used all its available capacity, you couldn't later replace it with a manufacturer Y "1Gb" disk. Of course, then manufacturer Y shipped a 1002.25Mb disk ....

There's also Ring -1, the hypervisor, to consider in the case of Intel CPUs, though I'll accept that in this context you may use OS to refer to the hypervisor itself, not the OSes that it supervises.

3
0
Silver badge

Re: Windows only though

I've been taught not to trust the filesystem detecting corruption but then again I use a Mac which has HFS+ which is a heap of crap... Only btrfs and zfs checksum files.

1
0
Bronze badge
Paris Hilton

Re: 50 shades of fail.

Ahhh, so THAT's what Vendor Tie-In means.....

2
0
Bronze badge
Pint

Re: @thames - Windows only though

Hmmm.... couple this with the ring -2 issue from Intel and it sounds like a wild party for all.....

Of course we mortal users are fscked......

OK, I'll just go cry in my beer.... here, have one too.....

1
0

Re: Windows only though

Of course, there'd be nothing to stop lenovo or whoever adding an ext4 driver and a linux executable to their UEFI image so that they could compromise more than just windows. Just because it can't affect linux right now doesn't mean it won't eventually be co-opted by your friendly local UEFI supplier...

Be interesting if anyone out there knows how easy it is to modify a UEFI image to shoehorn this stuff in. Are all UEFI images typically cryptographically signed?

0
1
Silver badge

Re: Windows only though

> I think the feature was a bit of a bad idea by Microsoft to begin with.

I suspect it's also the first step in Microsoft trying to provide the facility that Mac machines have - the ability for a bare-metal machine to do a full install from Apple via the Internet.

Of course, Apple has much tighter control over the hardware and firmware - Microsoft would have to trust that the OEM does a good job of making sure that all the relevent h/w drivers are also present to allow the machine to connect. And we all know how fully trustable the OEMs are eh?

3
0

Re: Windows only though

So is there a patch for WinX to stop the BIOS being tested and executed?

Then could install Win with the machine internet-free, patch it, then connect and do the post-install upgrades.

0
0
Bronze badge
Windows

Re: Windows only though

"Lenovo's S&M dept are crying into their <whatever_they_drink_there>"

I'm sure they drink the same poo water Bill Gates does.

https://twitter.com/BillGates/status/631602128574881792/photo/1

1
0
Anonymous Coward

Re: Windows only though

No effect if blatted with Linux?

Possibly not, I wonder if said LSE could be hijacked to prevent a future installation of Windows, i.e. like what some crim might do if they stole said laptop.

They steal machine, try to install Windows, Windows grabs tainted blob, blob executes and then wipes the Windows installation and puts Linux back on.

1
0
x 7
Silver badge

Re: Windows only though

The interesting question is.....how were Lenovo going to install any future driver or software updates? Presumably any subsequent updates would be overwritten and rolled back by the BIOS injection

0
1
Silver badge

Re: Windows only though

It's not for online Windows installation, if your Windows installation is hosed it's never going to get to the stage of executing the file held in the BIOS.

0
0

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Forums

Biting the hand that feeds IT © 1998–2017