Lenovo laptops automatically re-install removed software

Firmware on Lenovo laptops keeps installing software - which is not just annoying, its also a security vulnerability.

Lenovo laptops automatically re-install removed software
Lenovo laptops automatically re-install removed software

Lenovo has been found to be sneaking bloatware onto its laptops that re-installs itself after being removed by users. The firmware responsible has also been found to harbour a security vulnerability that could allow hackers to re-infect systems with malware.

The laptop manufacturer uses a feature in Windows that enables OEMs to install any software they like. But even if users completely wipe the hard drive and carry out a clean install of the OS, the firmware re-installs Lenovo software.

The problem was first discovered  by Ars Technica forum user ge814 and later verified by Hacker News user chuckup. In May, it was found that the user's new Lenovo laptop automatically, and without warning, overwrote system files when booting up. This then downloaded a Lenovo update that installed software automatically. Essentially, the code existed as a rootkit-like tool to ensure that Lenovo software continues to be present despite user intervention.

The firmware, called Lenovo Service Engine (LSE), downloads an application called OneKey Optimiser. This software is used for “enhancing PC performance by updating firmware, drivers and pre-installed apps as well as “scanning junk files and find factors that influence system performance.”

LSE ensures that a file called autochk.exe is replaced by the firm's own version. This ensures that LenovoUpdate.exe and LenovoCheck.exe are present in the operating system's system32 directory. If these are not found, these are automatically downloaded. These two pieces of software then download and install drivers as well as any other software Lenovo wants to run.

The process takes advantage of Microsoft's Windows Platform Binary Table (WPBT) feature; an anti-theft measure. This enables OEMs to install software on Windows from the firmware on the motherboard by telling Windows where in the memory an executable, called a platform binary, can be found.

The process relies on the installation of secured code on the laptop.

Unfortunately, security flaws in LSE were discovered by security researcher Roel Schouwenberg back in April, including buffer overflows and insecure network connections. This led to Lenovo ceasing to use LSE in new laptops since June. The firm has moved to provide updates for affected laptops and given instructions on how to disable the option on systems. However, this does mean that not all Lenovo users have machines updated to avert the risk of software and potentially malware re-installing on affected machines.

The Lenovo laptops affected include: Flex 2 Pro-15/Edge 15 (Broadwell/Haswell models), Flex 3-1470/1570/1120, G40-80/G50-80/G50-80 Touch/V3000, S21e, S41-70/U40-70, S435/M40-35, Yoga 3 14, Yoga 3 11, Y40-80, Z41-70/Z51-70 and Z70-80 / G70-80.

A spokeswoman for Lenovo told SCMagazineUK.com that Lenovo made available new BIOS firmware for some of its consumer PCs that eliminated a security vulnerability that was discovered and brought to its attention by Schouwenberg.

“In coordination with Mr Schouwenberg and in line with industry responsible disclosure best practice, on July 31, 2015, we issued Lenovo Product Security Advisories, that highlighted the new BIOS firmware – specifically for consumer Notebook and Desktop,” the firm said in a statement.

“Along with this security researcher, Lenovo and Microsoft have discovered possible ways this program could be exploited in the Lenovo Notebook implementation by an attacker, including a buffer overflow attack and an attempted connection to a Lenovo test server.”

It said that as a result of these findings, Microsoft recently released updated security guidelines on how to best implement this Windows BIOS feature.

“As a result, LSE is no longer being installed on Lenovo systems.  It is strongly recommended that customers update their systems with the new BIOS firmware which disables and or removes this feature,” the firm said.

Justin Clarke, director at Gotham Digital Science and London OWASP Chapter Leader told SCMagazineUK.com that while it has historically been common for PC vendors to ship proprietary software on laptops, “Lenovo clearly stepped over the mark by having this software aggressively reinstall itself on machines that had been cleanly reinstalled without it.”

“The issue here is that the OKO software itself had security issues that hackers could possibly use to obtain access to a user's machine or to install malware,” he said.

Joe Bursell of Pen Test Partners told SCMagazineUK.com that this method of ensuring that Lenovo's  software is installed is no different to a malicious rootkit and almost certainly could be taken over by attackers to deploy their own malware rather than Lenovo's software. “The problem is that Lenovo never realised how dangerous this practice really was,” he said.

“If the firmware could be modified somehow, this would be a simple matter of replacing one of the binaries deployed by Lenovo's software with one produced by the attacker. Once this binary is executed with high privileges on the system, full compromise is unavoidable. This is for all intents and purposes a backdoor that bypasses the operating system's access controls including full disk encryption,” he said.

Bursell added that any mechanism that bypasses the operating system to install things is potentially dangerous.

“One that forcibly installs software that runs under full privileges is really dangerous. As it has been proven Lenovo was forcibly installing vulnerable binaries on the operating system - in this case no anti-virus or OS reinstallation would be able to rescue the laptop.”

Bursell said that this is a bypass somehow sanctioned by Microsoft, so it is more a “feature than a fault”.

“Notably a really bad idea. The notion that a backdoor can be installed to be used only by the 'good guys' is absolutely false. The problem is that *there is a backdoor* and anyone could exploit it - otherwise it would not be a backdoor,” he said.

He added that there is very little an organisation could do to protect themselves should malware enter a system via this route other than “ensuring that every aspect of the host is scrutinised including the BIOS and other firmware on the system.”

“This is not an issue that could be detected easily and I am not sure the feature could be disabled.”

Lenovo has had to lay off 3,200 employees as part of streamlining its mobile and PC businesses. According to a report from the Verge, Lenovo chairman and CEO Yang Yuanqing pledged the headcount loss as part of plans to increase efficiency across the company. The firm has also reported a sharp drop in profits.