Has Lenovo lost the security plot?

News by Davey Winder

Less than a year after Superfish, Lenovo is making the security news once more for all the wrong reasons.

Four vulnerabilities were found by Core Security, and thankfully now fixed by Lenovo, impacting some users of Lenovo's SHAREit app.

In the Android version of the app, no password was required to join an ad-hoc Wi-Fi hotspot that it created. And if you thought that was pretty poor on the security front, some ThinkPad and IdeaPad devices opted instead for a hard-coded password of 12345678.

This would all be bad enough news for the PC manufacturer, but it gets worse when you realise that in the space of less than a year things have also gone pear-shaped in the form of the Lenovo Service Engine rootkit row and the Lenovo System Update privilege escalation vulnerability row.  

In the first instance, the Lenovo Service Engine acted in a rootkit-like manner by reinstalling itself even after a fresh Windows install, and then prompting the user to install further software.

And in the latter instance, coming just weeks after the Superfish scandal, the System Update vulnerability left users open to potential man-in-the-middle attacks.

All of which has left some  within the industry to ask just what is happening at Lenovo, and whether it has lost the security plot?

Plot, what plot?

Of course, just because a computing giant finds itself at the pointy end of a handful of security scares does not mean there is a culture of insecurity being fostered within the company.

Were that the case then the same allegation could be made in the direction of myriad hardware and software vendors.

Nonetheless, SCMagazineUK.com contacted Lenovo and put it to them that some might suggest a culture of insecurity exists. A Lenovo spokesperson provided the following statement:

"Lenovo recognizes that it has a responsibility to deliver products and services that are as secure as possible. It knows this requires constant vigilance and improvement to minimize risks. It has taken numerous steps to improve its overall approach to protecting its customers from growing cybersecurity threats,” the statement read.

Here are a few of the measures quoted by the company:

  • In February, 2015, Lenovo articulated a commitment for cleaner, safer PCs, saying its standard image for Windows 10 PCs would only include the operating system, security software, Lenovo applications and third-party software required to make hardware work well (for example, when we include unique hardware in our devices, like a 3D camera). This was delivered with the Win 10 preload and this significantly reduced the possible attack surface by eliminating more than 50 percent of preloaded programs.
  • Lenovo PSIRT (Product Security Incident Response Team) instituted clear processes to communicate security vulnerabilities and manage coordinated disclosures – in fact, two of the most recent Lenovo security fixes were joint disclosures where we worked closely with independent security researchers to provide downloads that fixed vulnerabilities and protected customers before the vulnerabilities were made public
  • We implemented best-in-class security protocols for dealing with vulnerabilities, constantly testing and improving all software to keep up with the latest threats/attacks. While the volume of attention of the security vulnerabilities has increased in step with broader public awareness of cybersecurity matters, Lenovo products are in fact more secure than ever before and we are focused on improving even more.
  • We actively engaged with three third-party security firms to thoroughly vet all preloads, as well as anticipate and circumvent potential threats. We have actively taken recommendations by these third parties to tighten standards for preloaded software and have made improvements to software that remains in the preload.
  • We continuously update our user community by regularly issuing security advisories and updates to ensure that any potential vulnerabilities are eliminated and disclosed as quickly as possible, while prioritizing users' security in the process.
  • Lenovo is by no means finished. It is constantly working to improve the security of its processes and products to ensure security is paramount every step of the way. Today, known vulnerabilities are addressed faster than ever before, we have reduced our attack surfaces and we will strive to do even better in the days, weeks, and months ahead. 

Insecurity by design

Ian Trump, security lead at LOGICnow, agrees that the problem is not a culture of insecurity at Lenovo. Instead he told SC that he thinks it's "a culture of insecurity across many major manufacturers". Trump points to the root certificate security issues experienced by Dell at the end of last year and the "near daily revelations about Fortigate, AMX and Juniper SSH backdoors and hard coded passwords" which Trump describes as "shameful".

Trump sees two problems here. "The manufacturers are struggling to recruit the necessary cyber-security talent to build secure products," he said. "And the economics of security as a value-add feature, or security as a design requirement are murky."

The problem is, Trump reckons, that it's difficult to measure the value of security, and it's not clear whether ensuring a secure product from the start, or fixing security issues later, provides the better return on investment (ROI). "Until manufacturers look closely at, and validate the idea of, designing a secure product from the start," Trump concludes, "we will continue to be disappointed in many companies' security efforts."

Kevin Bocek, VP of security strategy and threat intelligence at Venafi, argues that all of this raises the broader issue of who – and what – large technology businesses are trusting at each stage of their information supply chains. "As Lenovo's Superfish and Dell's root-level CA incidents show," Bocek told SC, "many in the industry are putting their own security (and that of their customers) in the hands of others that they don't necessarily know."

This implicit trust shines a light on the issue of information supply chain security. It's who or what should we trust, the questions we have to ask and, as Bocek concludes, "the demands we need to make to get better security from all IT suppliers, not just Lenovo".

Andrew Conway, a research analyst at Cloudmark, shares the feeling within the IT security industry that the same levels of insecurity appear to exist across the board. "In the highly competitive and low margin Windows laptop business," Conway suggests, "features and performance contribute more to making a sale than security."

Conway believes that the solution is for hardware and software vendors to provide a warranty that covers losses due to security flaws in their products. "There would still be room for low end vendors to provide unwarranted and less secure products," he explained, "but government, military, and many big business users would be willing to pay a large premium for products that are less vulnerable to attack."

Interest free?

Meanwhile, the co-founder of Xiphos Research, Michael Kemp, was candid in his response. "Without having intimate knowledge of the working practices of Lenovo and the organisational culture," he admitted, "it is difficult to determine the organisation wide response to, or interest in, security, and it would be remiss to speculate."

However, based upon the incidents that have occurred, and the regularity for that matter, he also agreed it does raise questions that need answering.

"With regards to the SHAREit application containing basic vulnerabilities, that should have been detected in any focused QA review," Kemp insists. "Not even a penetration test is required to realise the hotspot doesn't have a password, after all."

Kemp is also concerned at the length of time it took to remediate this particular bunch of vulnerabilities. "In essence, it took Lenovo 90 days to add features that should have been there from the inception of the application design phase."

While the commitment to security and privacy made by Lenovo in its statement to SC is welcome, Kemp isn't convinced it will be enough. "To address this may require an organisation wide restructure," he concluded, "or customers using the power of voting with their feet, and their purchasing budgets, to force change..." 

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Upcoming Events