Looks like Lenovo notebook users have not had enough of bloatware and security issues. After the ‘Superfish’ scandal earlier this year which involved a pre-loaded malware to help customers potentially discover interesting products while shopping and thereby raising serious questions on security, the company’s users are now vulnerable to yet another security threat.
Ars Technica forum user ge814 has pointed out in May that the world’s largest PC maker stealthily overwrote system boot files pertaining to Windows 7 and 8 and even managed download it’s proprietary Lenovo update tool and installed malware, even though the Windows version was a DVD-licensed one.
The controversial part is that the aforementioned software did not get wiped off like it should along with the rest of the files post a system wipe.
Not surprisingly, a massive range of laptops as well as desktops have been hit by Lenovo’s malware: Flex 2 Pro-15/Edge 15 (Broadwell/Haswell models), Flex 3-1470/1570/1120, G40-80/G50-80/G50-80 Touch/V3000, S21e, S41-70/U40-70, S435/M40-35, Yoga 3 14, Yoga 3 11, Y40-80, Z41-70/Z51-70 and Z70-80 / G70-80.
The desktop versions affected are as follows: A540/A740, B4030, B5030, B5035, B750, H3000, H3050, H5000, H5050, H5055, Horizon 2 27, Horizon 2e(Yoga Home 500), Horizon 2S, C260, C2005, C2030, C4005, C4030, C5030, X310(A78) and X315(B85).
The culprit behind the entire fiasco is Lenovo Service Engine which downloads a program called OneKey Optimizer. Lenovo Service Engine (LSE) is a utility in the BIOS for certain Lenovo desktop systems. It automatically sends non-personally identifiable system data to a Lenovo server one time when the system is first connected to the internet and then does not send any additional data. The system data that LSE collected includes machine type and model, system UUID, region and date. No personally identifiable information is collected.
One could point fingers at Microsoft too, because the entire mechanism is a product of a certified process called the Windows Binary Table helping Lenovo to exploit root-kit like techniques.
Microsoft has recently released updated security guidelines on how to best implement this feature. Lenovo’s use of LSE is not consistent with these guidelines and so Lenovo has stopped shipping desktop models with this utility and recommends customers with this utility enabled run a “clean up” utility that removes the LSE files from the desktop.
The company, facing cut-throat competition in the dwindling PC market, did respond to this issue. However, as expected, it chose not to publicize it; to the extent that the remedy had to be manually performed. Users reportedly did not receive OTA updates.
This indeed is frightening. PC consumers no longer have the right to purchase the desired hardware as we advance geenrations of technology. Rather, OEMs tend to restrict us to their terms and conditions. Usually, technical people would just exclaim “Oh, you should wipe the drive and reinstall Windows to avoid all the crapware” but if this incident is to be kept in mind, even entire wipes have not stopped OEMs from loading adware on users computers without their will.
As of now, the company enjoys superior operating profit margins of nearly 5.4%, taking it well ahead of ASUS and HP.
If your Lenovo PC is included in the list of affected devices above, head here to disable the tool.
This development is sure to weigh heavily on the security scale for potential Lenovo buyers. What do you think? Share your thoughts in the comment section below.