The technique has been likened to the rootkits used by hackers to make it impossible to delete malware from machines. It is based around the Lenovo Service Engine, a program embedded within the motherboard BIOS or UEFI of Lenovo laptops and computers.
This property means that Lenovo Service Engine can operate even after the computer’s hard drive is wiped and Windows reinstalled. It overwrites a Windows system file with its own version, telling the computer to download Lenovo files once connected to the Internet — whether the user asks for them or not.
It automatically installs Lenovo’s suite of pre-installed apps, the appropriate drivers for the computer and any available software updates. In many cases, the user will not be wanting any of this: the purpose of doing a clean install of Windows is usually to remove any manufacturer-installed bloat.
Unfortunately for users, the issues with Lenovo Service Engine go even deeper. The company admitted in a July 31 security notice that “high” severity weaknesses and flaws in the software mean it can be exploited by hackers to install malware. For all intents and purposes, Lenovo Service Engine appears to be an easily-accessible working rootkit that could be used by anybody to ensure a Lenovo computer always has certain files installed.
The engine also phones home to Lenovo at times to report “non-personally identifiable system data” about the computer on which it is running. This includes the model, processor type, installed hard drive, amount of memory and other hardware details.
ZDNet reports the actions of Lenovo Service Engine were first discovered by users in May. Threads on forums since then have been filled with stories from users wondering how Lenovo programs and pop-ups began appearing on their computer after performing a clean install of Windows.
The story broke earlier this week when it appeared on Hacker News. Since then, the Chinese computer manufacturer has faced strong accusations from users concerned about the morality of its practices.
In a thread on the Ars Technica forums early this month, user ge814 got to the bottom of exactly what Lenovo Service Engine is doing after chuck11 realised “This has to be UEFI [BIOS]… it appears even without a network connection”. A puzzled user was seeking the cause of the Lenovo messages being displayed on his computer after using a retail DVD to install Windows.
ge814 explains: “Before booting windows 7 or 8, the bios checks if C:Windowssystem32autochk.exe is the Lenovo one or the original Microsoft one. If it is not the lenovo one, it moves it to [a temporary location] and then writes it’s own autochk.exe. During boot, the Lenovo autochk.exe writes a LenovoUpdate.exe and a LenovoCheck.exe file to the system32 directory, and sets up a service to run one of them when an internet connection is established.”
In short, Windows always runs the autochk.exe file at start-up, so by replacing it with its own version Lenovo can force its programs to be downloaded to the computer. The explanation continues to highlight how the software later phones home to Lenovo and that it is “fairly likely that it’s exploitable for remote code execution” — almost certainly the “vulnerabilities” warned of by Lenovo itself in its security bulletin.
Lenovo has released a BIOS patch that disables the engine on all affected computers. These include consumer-oriented desktops, laptops and convertibles that came preinstalled with Windows 7, 8.0 or 8.1. Models usually marketed at businesses, such as the ThinkPad and IdeaPad ranges, are not affected.
A complete list of impacted models and a download for the patch is available on the Lenovo website. Owners must install the patch manually to have it applied as it is an update for the software powering the motherboard and not an issue in Windows.
This is a serious shortcoming on Lenovo’s part and it is understandable that users are becoming distrustful of the once well-regarded brand. Earlier this year, the company was forced to admit wrongdoing and apologise when it emerged that computers shipped to 16 million people came pre-installed with Superfish adware capable of intercepting and hijacking network traffic using supposedly secure connections.
This time around, the company has been found using a technique employed by hackers to ensure that its own content always makes its way onto a machine. In doing so, it has opened customers’ computers up to attack from actual hackers and has rewritten core Windows system files that should ordinarily be left alone.
As Geek.com notes, Lenovo Service Engine is not actually a rootkit but is very reminiscent of one. It actually uses the Windows Platform Binary Table (WPBT): technology built into Windows that is designed to allow manufacturers to install required software — such as drivers for obscure hardware – from the BIOS onto a clean install of Windows.
Lenovo has been clearly misusing the feature though, directly violating guidance from Microsoft that stipulates that users must be provided with a method to opt out and prevent any automatic software installs. Instead, the company assumes that everybody is desperate to be shown annoying pop-up messages after reinstalling Windows and is happy to have details of their computer sent automatically to its servers.
Currently, the only way for a user to protect themselves is to download and run the BIOS patch immediately. Lenovo has not yet commented further on the risks posed by Lenovo Service Engine.
