Has Lenovo lost the security plot?
Less than a year after Superfish, Lenovo is making the security news once more for all the wrong reasons.
In the Android version of the app, no password was required to join an ad-hoc Wi-Fi hotspot that it created. And if you thought that was pretty poor on the security front, some ThinkPad and IdeaPad devices opted instead for a hard-coded password of 12345678.
This would all be bad enough news for the PC manufacturer, but it gets worse when you realise that in the space of less than a year things have also gone pear-shaped in the form of the Lenovo Service Engine rootkit row and the Lenovo System Update privilege escalation vulnerability row.
In the first instance, the Lenovo Service Engine acted in a rootkit-like manner by reinstalling itself even after a fresh Windows install, and then prompting the user to install further software.
And in the latter instance, coming just weeks after the Superfish scandal, the System Update vulnerability left users open to potential man-in-the-middle attacks.
All of which has left some within the industry to ask just what is happening at Lenovo, and whether it has lost the security plot?
Plot, what plot?
Of course, just because a computing giant finds itself at the pointy end of a handful of security scares does not mean there is a culture of insecurity being fostered within the company.
Were that the case then the same allegation could be made in the direction of myriad hardware and software vendors.
Nonetheless, SCMagazineUK.com contacted Lenovo and put it to them that some might suggest a culture of insecurity exists. A Lenovo spokesperson provided the following statement:
"Lenovo recognizes that it has a responsibility to deliver products and services that are as secure as possible. It knows this requires constant vigilance and improvement to minimize risks. It has taken numerous steps to improve its overall approach to protecting its customers from growing cybersecurity threats,” the statement read.
Here are a few of the measures quoted by the company:
- In February, 2015, Lenovo articulated a commitment for cleaner, safer PCs, saying its standard image for Windows 10 PCs would only include the operating system, security software, Lenovo applications and third-party software required to make hardware work well (for example, when we include unique hardware in our devices, like a 3D camera). This was delivered with the Win 10 preload and this significantly reduced the possible attack surface by eliminating more than 50 percent of preloaded programs.
- Lenovo PSIRT (Product Security Incident Response Team) instituted clear processes to communicate security vulnerabilities and manage coordinated disclosures – in fact, two of the most recent Lenovo security fixes were joint disclosures where we worked closely with independent security researchers to provide downloads that fixed vulnerabilities and protected customers before the vulnerabilities were made public
- We implemented best-in-class security protocols for dealing with vulnerabilities, constantly testing and improving all software to keep up with the latest threats/attacks. While the volume of attention of the security vulnerabilities has increased in step with broader public awareness of cybersecurity matters, Lenovo products are in fact more secure than ever before and we are focused on improving even more.
- We actively engaged with three third-party security firms to thoroughly vet all preloads, as well as anticipate and circumvent potential threats. We have actively taken recommendations by these third parties to tighten standards for preloaded software and have made improvements to software that remains in the preload.
- We continuously update our user community by regularly issuing security advisories and updates to ensure that any potential vulnerabilities are eliminated and disclosed as quickly as possible, while prioritizing users' security in the process.
- Lenovo is by no means finished. It is constantly working to improve the security of its processes and products to ensure security is paramount every step of the way. Today, known vulnerabilities are addressed faster than ever before, we have reduced our attack surfaces and we will strive to do even better in the days, weeks, and months ahead.