Lenovo PCs and Laptops seem to have a BIOS level backdoor
0Lenovo PCs and Laptops seems to have hidden a rootkit in their BIOS
The Chinese computer and laptop maker, Lenovo is once again in the eye of the storm after users have found that their PCs/Laptops are shipped with a hidden backdoor at the BIOS level. Earlier in the year, it was found that all Lenovo PCs/Laptops are shipped with a spyware called Superfish.
The secret UEFI level spyware installer kit discovery was made by a user, willSmith1701 on Ars Technica Forum. He had purchased a Lenovo G50-80 and did a clean install using a retail disc. However when he tried to reboot the system he got a pop up message saying
“Note: This is from the product itself and not from the network. To help you continue to upgrade system firmware and software, in order to make your system more stable, safe and high performance, download and install the Lenovo system optimization software. The software download process needs to connect to the internet. Click here to read the Lenovo License Agreement LLA”
The popup has a option to either cancel, or to agree and install. However that is not the issue here. Since the user tried a clean install, he shouldnt be getting such a message in the first place. This message may be a indication of UEFI/BIOS level spyware in the Lenovo PCs.
Another user, Chuck11 found many entries in the Windows system which contain files like LenovoCheck.exe and LenovoUpdate.exe. These entries appear again on reboot, even if the user deletes them
“Uh oh – check your Services tab in Task Manager – “Lenovo Update” service is there and running for me (even though I said NO to the popup!) And there’s a bunch of crap in c:\windows\system32 like LenovoCheck.exe, LenovoUpdate.exe and various things in the registry.If you delete those files, or just overwrite them with junk, they reappear when you reboot. If you Disable the service, it is Running when you reboot!See this thread for someone else who noticed this, with more details – nobody believes him! He thinks it’s UEFI”
Another user, ge814, gave a detailed reply about how the files, LenovoCheck.exe and LenovoUpdate.exe are being created by Lenovo PCs and Laptops.
He says that before booting windows 7 or 8, the BIOS checks if C:\Windows\system32\autochk.exe is the Lenovo one or the original Microsoft one. If it is not the lenovo one, it moves it to C:\Windows\system32\0409\zz_sec\autobin.exe, and then writes it’s own autochk.exe.
During boot, the Lenovoautochk.exe writes a LenovoUpdate.exe and a LenovoCheck.exefile to the system32 directory, something it should not be doing. Then it sets up a services to run one of them when an internet connection is established.
Once it is connected to the Internet, it visits the site > http://download.lenovo.com/ideapad/wind … 2_oko.json.
That itself is very serious issue for Lenovo PC users because of combination of “ForceUpdate” parameter and the lack of ssl, makes it vulnerable to a man-in-the-middle attack and remote code execution by anyone who can intercept the users traffic.
The only way to escape these two backdoors created by Lenovo PCs and Laptops are to flash your BIOS. Having said that, only those users who are fairly conversant with flashing BIOS/Firmware may proceed or else you may brick your PC/Laptop.
- First you’ll need a USB Flash ROM reader/writer(a cheap CH341A one works fine) and SOIC-8 test clips.
- Take the back cover off the laptop, and also disconnect the battery, and locate the BIOS chip on the motherboard.
- Connect the test clips to the BIOS and connect the other end of the other end of the test clips to the USB writer you have bought.
- Now connect the USB writer to another computer.
- On the other computer use the USB reader/writer to dump a copy of the BIOS.
- The BIOS dump will be an 8MB file. You need to split it into 2 files: the first 2MB and the last 6MB.
- Download UEFITool from github(https://github.com/LongSoft/UEFITool ) and open the 6MB file.
- Look through the modules and find the one called “NovoSecEngine2″ and mark it for deletion.
- Save a new copy of the 6MB file.
- Now make a new 8MB file by taking the 2MB beginning from earlier and appending the new 6MB file on to the end.
- Use the USB reader/writer to flash that new 8MB file to your PC/Laptop’s BIOS
- Once your are done, disconnect the wires and put the laptop back together.
- Reinstall a fresh copy of windows again, and check your C:\Windows\system32\autochk.exe file to make sure it’s signed by Microsoft, not Lenovo.
- If you have the original Microsoft one there, congratulations, your laptop is now clean.
It is clear that Lenovo is shipping their PCs/Laptops with boot level rootkit that force installs unwanted spyware and bloatware. The files created by the rootkit are further connecting
We are reaching out to Lenovo for their comments on the issue.
No comments:
Post a Comment