Hundreds of devices from vendors such as Acer, Dell, and Lenovo have been found to be left wide open to threat actors due to untrusted test keys.

These devices have been left compromised due to PKfail, a firmware supply chain vulnerability. On devices where PKfail (short for Platform Key fail) is present, threat actors can install malware with ease. This is because the presence of PKfail means hackers can bypass the Secure Boot process and gain access to the device. Naturally, unauthorized access puts a device at risk of not only being infected with malware, but also suffering data breaches and being hijacked for DDoS attacks.

As the threat of PKfail has affected some of the major PC manufacturers, it’s important we investigate this a little closer.

The Failure of PKfail

Secure Boot is an integral part of any modern PC, ensuring a device’s firmware and operating system is correctly authenticated against a secure key on the machine. The devices at the center of this security failure have, within their system, a test Secure Boot key. This is named “DO NOT TRUST” and is created by American Megatrends International (AMI), a widespread BIOS system used to start up a computer after being powered on.

The intention of the test key was simply that, a test. Vendors using AMI on their systems, for example Lenovo PCs, should have removed this test key before generating a unique Platform Key. This would then protect the BIOS system, prevent Secure Boot from being compromised, and eliminate the threat of unauthorized access via this route. However, this task was missed by numerous vendors, leaving their devices unprotected.

Threat actors, aware of this flaw, could then exploit this workaround for Secure Boot and access the compromised devices without breaking a sweat. By taking control of the machines, the attackers were able to start downloading malware such as CosmicStrand and BlackLotus to the devices. This firmware vulnerability, linked to a June 2024 release as per supply chain security firm Binarly, has affected close to 900 devices, with those affected listed here.

Staying Safe from PKfail

Vendors who have failed to the replace the test key from AMI are being encouraged to immediately rectify this on any systems waiting to be issued. End users of the affected devices should also keep an eye on firmware updates issued by the vendors, prioritizing any which mention the PKfail flaw. Binarly has also given end users a helping hand by creating the pk.fail website, where those at risk can scan firmware binaries to identify any PKfail-vulnerable devices.

PC users, therefore, should be aware of the risk that even newly shipped products, with the latest firmware and patches in place, can be compromised straight out of the box. Forgetting the debacle of the Crowdstrike update debacle, promptly installing updates is one of the best ways to maintain your PC’s security.

For more ways to secure and optimize your business technology, contact your local IT professionals.

Read More


Lenovo-Yoga-658x370-2212b47ff38e685e

Several weeks ago, Lenovo was found to be preloading spyware onto their laptops; now it’s been discovered they’re loading spyware onto their Thinkpads.

Yes, Lenovo has certainly disgruntled a whole new sector of customers. And what with the Thinkpad range being marketed as a business laptop it’s particularly worrying for business customers.

After all, which business wants to get caught up in any type of security threat which could potentially distribute their customers details to third party sources?

Let’s take a quick look at exactly what’s happening.

The Spyware Scandal

spionage_w492_h312

The Thinkpad range was purchase by Lenovo from IBM and these refurbished models are being packaged with a piece of software called ‘Lenovo Customer Feedback Program 64’ which is causing the latest controversy.

But what exactly does this spyware do?

Well, it’s there to send customer feedback back to Lenovo’s servers to help improve their products and service. There’s not anything particularly nefarious about that. However, it’s also been discovered that this piece of software contains the following files:

  1. TVT.CustomerFeedback.OmnitureSiteCatalyst.dll
  2. TVT.CustomerFeedback.InnovApps.dll
  3. TVT.CustomerFeedback.Agent.exe.config

It’s the first file which is interesting as it relates to Omniture who are an online marketing and web analytics company. What they do is monitor people’s behaviour online to help build a snapshot of how internet traffic is moving across the web.

Now, although Lenovo do disclose in their EULA (End User Licence Agreement) that software will be transmitting customer feedback to the Lenovo servers it is buried away amongst a lot of text. Additionally, there is no mention that internet usage will be monitored and passed on to Omniture for what is surely financial profit.

Just imagine the security risks this could have with your business if hackers are able to find a loophole in this spyware and can piggyback onto your internet connection? It could spell serious security issues for the security of yours and your customers’ data.

Removing the Spyware

Virus-Removal

Thankfully, it’s not a mammoth task when it comes to removing the spyware, so just follow these steps:

  1. Download ‘Task Scheduler View’ which is a useful piece of software which displays all the tasks running in Windows
  2. Within Task Scheduler View you will want to disable anything which is related to Lenovo customer feedback and/or Omniture
  3. It’s also recommended to rename the folder “C:\Program Files (x86)\Lenovo” e.g. “:\Program Files (x86)\Lenovo-test” to help prevent any other dubious files being activated or installed

This should that your Thinkpad and your confidential data remain secure and are not at risk of being exploited.

When Will Lenovo Stop?

This is the third security scandal to hit Lenovo this year after the Superfish and BIOS modifying controversies, so consumers are understandably losing their patience with Lenovo.

Although Lenovo claims on their website that “Lenovo takes customer privacy very seriously and the only purpose for collecting this data is to improve Lenovo software applications” it remains to be seen when they will follow through on this pledge.

For more ways to secure and optimize your business technology, contact your local IT professionals.

Read More


Lenovo-Yoga-658x370-2212b47ff38e685e

It’s irritating to find a fresh PC full of unnecessary preloaded software, but a Lenovo rootkit has been found sneaking software onto PCs after installation.

Preloaded software such as this is called ‘bloatware’ as it uses up vital system resources, but provides virtually no benefit to the user. Many users, therefore, like to perform a fresh Windows install after unpacking their system to eradicate this pesky bloatware.

However, Lenovo have decided to work around this procedure and are still managing to force their software onto Lenovo systems!

Let’s take a look at how they’re achieving this and what it means for you.

Access via Rootkit?

Many people are accusing Lenovo of resorting to rootkit tactics to make sure their software remains on your system.  A rootkit is a malicious piece of software which grants access to your system to remote users. This is commonly used by criminals to steal passwords or credit card details.

However, in this instance Lenovo isn’t actually using a rootkit and they’re not trying to steal your personal details.

How is Lenovo Gaining Access?

20150814192021

Lenovo is actually loading bloatware on to systems by taking advantage of an official piece of Windows software known as the Platform Binary Table (WPBT). The WPBT allows manufacturers to install trusted software to systems in order for them to run properly.

This software needs to be stored within the machine on a physical medium e.g. a hard drive. Now, the most obvious thing to do would be to uninstall this unwanted software, but this is where Lenovo starts to play nasty.

Built into the Lenovo system’s firmware is a piece of software known as the Lenovo Service Engine (LSE). And the LSE runs before Windows boots up and replaces Microsoft’s version of ‘autochk.exe’ with its own.

Normally, autochk.exe is used to verify the integrity of your file system, but Lenovo’s variant installs software which connects to the internet and downloads the bloatware via the WPBT.

The problem is that because the LSE runs before Windows boots up it’s almost impossible to stop this happening even when you’ve deleted the bloatware. It will simply download again thanks to the LSE!

Cleaning up Lenovo’s Bloatware

115717-104371-i_rc

Once news of Lenovo’s shady activities came to light they were confronted with a lot of bad press.

Not surprisingly they soon released a tool to help remove this rogue software from their systems. There are also numerous guides online advising how to remove the threat manually, but this involves burrowing deep into your system’s code and is best left to an expert.

It was also revealed that all desktop machines which were built between 10/23/2014 – 04/10/2015 contained the LSE, so this is a huge number of systems which have been, to all intents and purposes, infected.

Final Thoughts

The LSE debacle has caused a lot of harm not only to Lenovo customers, but also to Lenovo’s brand values. And the ease with which the WPBT was exploited will also raise many questions about just how secure Windows is.

For more ways to secure and optimize your business technology, contact your local IT professionals.

Read More


Comp 1 (0;00;00;00)

Lenovo has been caught red-handed shipping laptops with invasive adware. Read more here to find out the implications of why you should be concerned.

If your office has purchased any number of Lenovo laptops during the latter part of 2014, then these systems are likely affected by pre-installed adware.

There’s now little wonder  as to why your office’s antivirus or antimalware software might have been bugging you about a malicious adware named “Superfish”. If your systems administrator hasn’t been able to pinpoint the particular source, the culprit could really be the OS itself or Lenovo.

In 2014, several Lenovo notebook users reported injected advertisements while doing regular internet searches. The adware was identified as “Superfish” with capabilities of injecting third-party advertisements to not only on search engines like Google but by any website visited as well. Experts and technical enthusiasts have determined the adware was already pre-installed with the notebook by the time a unit is purchased.

Is It a Big Issue?

Although Lenovo would claim otherwise, experts point out that this invasive software can affect both users’ privacy and security.

For internet users who are annoyed by those numerous and deceiving web advertisements, this would already be a problem. Even the more savvy users can be deceived due to the nature of the advertisements displayed, which are designed in a way to look like they are part of the search results or the webpage itself.

A serious security threat which can spy and steal your data

Other than the ability to bombard you with online advertisements,”Superfish” also gives the perpetrators an opportunity to spy on the user’s activities when online and even monitor personal data:

  • The adware installs itself as a root security certificate in the laptops.
  • A security certificate is a small system file/key that determines which websites, servers, and software are trustworthy and which are not.
  • A root certificate can be likened to having a “master key”, where its authority will be adopted within the internet settings of a computer.
  • This makes a computer vulnerable by tricking it into thinking a website is secure, even if it’s not.

It’s a window of opportunity for cyber criminals to spy on their targets or even deceive them to give out personal data like usernames and passwords. There’s also a risk for laptops to be susceptible to malware and virus attacks since they can slip through their antivirus/antimalware software by using the certificates to make them look like legitimate files.

Lenovo’s Response

superfish-screenshot

Lenovo recently confirmed selling their units pre-installed with adware and shipping them worldwide. According to Lenovo, only units produced between September and December of 2014 were affected. Additionally, Lenovo defended the addition of “Superfish” in its laptops citing that the goal was to improve user experience when shopping online and that it does not monitor user activity.

As of January 2015, Lenovo has stopped shipping the adware on its computer products and has promised not do so in the future. It has also disabled “Superfish” and server interactions for the affected units and users. This “feature” should now cease to exist.

Check if you are affected by Superfish

 

superfish

Filippo Valsorda has setup a quick online test to see if your computer and internet connection are affected.  The test can be run here.

For more ways to stay protected, contact your local IT professionals.

Read More