Security: Lenovo sanctioned Rootkit

After a complete new installation of Windows on a Lenovo laptop, a Lenovo service has suddenly started to surprise a user. He suspected some kind Bios-Rootkit and was therefore not obviously so wrong.

If you follow a thread at YCombinator, you might think, evil hackers were at work. A user, startled by the reports of preinstalled bloat ware and especially the uncertain Adware Super fish on computers from Lenovo, ventured a clean installation of Windows on a laptop from the Chinese manufacturer. He took a fresh SSD, an official Windows 8 Installation DVD and renounced an Internet connection during installation. To his surprise, he discovered after having installed a running service the laptop manufacturer. He deleted the software, she appeared after a restart prompt again. He suspected a BIOS rootkit from Lenovo, down almost right.

Lenovo Service Engine (LSE) is called a laptop manufacturer’s tool. Officially, it is a BIOS utility. It collects information about the computer – that model and type -, the UUID of the installed system and location data and the date and return them to the manufacturer. But Personal Information will not be transmitted. And as I said, the service is in the bios of some integrated Lenovo computers and is loaded and run, even after a complete reinstallation of the operating system Windows.

Installation using Microsoft

Lenovo uses for Microsoft’s Windows Platform Binary Table (WPBT). This platform makes it possible to load Windows from version 8 binaries that third parties have stored in the BIOS. The WPB table is integrated into the Advanced Configuration and Power Interface (ACPI). About you can binaries during installation of Windows reloading without “that it must be present on the installation media,” says the official Microsoft documentation.

“The main purpose of WPBT is to provide key software also available when an operating system is reinstalled or changed in a ‘clean’ configuration,” it said in the document. One may legitimately use area is the use of an anti-theft software. Even the legitimate use of it says explicitly: The loaded via WPBT Software should not compromise the security of the operating system, must be digitally signed and encrypted data only ship to the manufacturer. Particular emphasis is that stored in the BIOS software may disable the update feature of Microsoft in any way. Recently Samsung had made a talking point, as their software at least the automatic update of Windows disabled arbitrarily. Microsoft’s document itself dates from December 2011, but was extended to include new policies for Windows 10 in July 2015.

Official instructions for removing

Apparently Microsoft had previously but decided limitations. On the official website of Lenovo on the subject states: Only systems that have been produced between October 2014 and April 10, 2015 23, Lenovo’s Service Engine have in the bios. There is also a list of the affected devices. An entry under the security settings point out. There, LSE can obviously also disable. In addition, Lenovo provides a tool, can be removed with the LSE. Why are the updated guidelines Microsoft, writes the manufacturer. To make matters worse IT security researchers had discovered also vulnerabilities in LSE