Lenovo Breaches User Trust Again with ‘Service Engine’ Rootkit


lenovo-logoSeems Lenovo is one company that doesn’t learn its lesson. Following on from the “Superfish” adware and problematic root certificate issues earlier this year, Lenovo is in hot water again over a component which some pundits say closely resembles a rootkit.

The mechanism under fire is called the ‘Lenovo Service Engine’ which downloads a program called ‘OneKey Optimizer’. According to Lenovo, this program “can enhance your PC’s performance by updating firmware, drivers, and preinstalled apps. It also provides power management schemes that can extend the life of your battery.”

Which all sounds harmless enough, however, it also transmits data to the Lenovo servers. According to Lenovo, this data is “non-personally identifiable system data“, including machine type and model, system UUID, region and date. Regardless of Lenovo’s assurances, what makes this particularly worrying is that Windows files are overwritten on boot, that files are added to the Windows system32 directory, and that a service is set up on the system to transfer data to Lenovo. Once that system is in place, who knows what data is really being transmitted?

Even more worrying is the fact that the Lenovo Service Engine is triggered via BIOS meaning it will persist between installations of Windows, even following a format and clean installation:


Lenovo is now using rootkit-like techniques to install their software on CLEAN Windows installs, by having the BIOS overwrite windows system files on bootup. <source>

Scarier and Scarier

scary_computerHere’s the rub: the mechanism Lenovo has been using is actually a Microsoft sanctioned technique, first introduced in November 2011 and updated in July of this year. The feature allows computer manufacturers to push software for installation from the BIOS to the system, meaning it will persist between installations of Windows regardless of whether it’s a clean installation or not. So, other manufacturers could also have been utilizing this technique without user knowledge – however, that remains unconfirmed at this time.

This revelation is very concerning; persistently pushing manufacturer’s bloatware via BIOS messing with system files is a clear abuse of user trust. It appears a truly clean, untouched, manufacturer install of Windows is fast becoming an endangered species.

The Fix

At least there is some good news: if you own one of the affected Lenovo laptops you can disable the feature right now by downloading a utility from Lenovo here: https://support.lenovo.com/us/en/product_security/lse_bios_notebook

NOTES:


  • LSE was shipped on certain notebook systems running Windows 7, 8 and 8.1 – the LSE functionality has been removed from newly manufactured systems.
  • Affected Lenovo models are listed on the page linked to above

 

About the Author

Jim Hillier

Jim is the resident freeware aficionado at DCT. A computer veteran with 30+ years experience who first started writing about computers and tech back in the days when freeware was actually free. His first computer was a TRS-80 in the 1980s, he progressed through the Commodore series of computers before moving to PCs in the 1990s. Now retired (aka an old geezer), Jim retains his passion for all things tech and still enjoys building and repairing computers for a select clientele... as well as writing for DCT, of course.

7 Comments

  1. good stuff …thanks… i may be crazy but why would i trust lenovo, a chinese computer company, to give me a “fix” for their untrustworthyness? and this is the second time they have abused my trust.. you know the old saying “fool me once, shame on you…fool me twice, shame on me”

  2. RE: “Seems Lenovo is one company that doesn’t learn its lesson.”
    Mr. Hiller is the one who doesn’t get it. Lenovo is demonstrating that this is part of its culture and that if it can’t sneak one spyware, it will try again and again and again and again and again …. The lesson to be learned is to not buy a Lenovo unless you don’t mind this type of garbage being included in your PC.

    Because this is a Microsoft-sanctioned technique, it also says something worrisome about Microsoft.

  3. Man, this is scary. Where will the line be drawn on privacy? I think its just a matter of time before computers get too darn dangerous to use. I may seem over the top but this old man has seen many changes over my 65 years and have yet to see one single change stand still; they just keep on moving, and not always for the better. This IMHO is a disease that will continue to spread. I am beginning to think its best to put my old win98SE or XP back on and just use it for email. Forget about viruses and updates… just make a backup image and recover each time your computer gets too slow haha.

    • I triple boot with XP,W7 and W10. I use XP to run my printer and all my games, I use W7 for DVD and Windows Media Center Playback and I use W10 for Email and Facebook. I guess this is progress.

  4. This is another test to see how far they can go, and what impact it might have on sales and revenue. I hope they feel some pain from this. The problem is, 95 percent of Lenovo owners with this root-kit will never even know it’s there, or that they privacy is compromised. The vast majority of users are clueless and just look at you cross-eyed when you try to explain what a root-kit is.

  5. HELLO ALL !!!! It is not a question of learning a lesson … it is matter getting as many subservient Lenovos, et c. out there repeatedly as there will be enough even one in Washinton DC or five on the Stock Market Exchange floor or one in the Nuclear Submairine … is all that is required … just bombast and bombast until there is enough ‘flak’ out there … voila MISSION ACCOMPLISHED while you think they are DUMB!!!? Haha !

    Start here …

    what news on the HARD circuits Chinese have coded into the Lenovos ASIDE from the SUPERFISH BLATANT FISHING PHISHING Software OPENLY!!! ? … what I read and hear … oh sorry I errr … I meant the “IBM’s (lenovo)” … just imagine … broadcasting a sequenced military code or something and world’s so wide spread or even SPARSELY SELECTIVELY or RANDOMLY DISPERSED (or targetted shipments to Washington DC, or Armonk, or Navy Yards Califirnia to Annapolis to Baltimore to Miami to Guantanomo Bay to Alaska … Lenovos turning to Zombies (without giving any signs that the Camera or such is LOOKING at you … LISTENING to you … and start obeying the master … Lenovos in USA missile silos to submarines to NASA to Fort Knox to Treasury department to Private or for that matter Govt data servers Stock Market Accounts … I err on the safe side … check the Made in China chips and CPU’s and cell phone chips and circuits worldwide Apple IPhones … on hearing the noiseless internet packets …. beep beeeep beeep … become a mass data collection or (without giving away any sign of it) eyes and ears of the ‘Master’ … Dr. Who and that Master couldn’t hold a candlestick to this iPhones zoned out and tuned to becoming enmass eyes and ears … when the siren code goes out … is that so far out? … Nope … you are the experts … forget the overt EMP … its down to your Lenovo on your desk … micro-IMPS … There you have it HELLO AMERICA !!! … latest news from the net … and THEN IMAGINE “Internet of Things” !!!!

    The only answer is to have USA made chips and PC’s and iPhones or any other phone … only USA made PC’s in hands of American Politicians to Army to Airforce to Navy … to Stock Market … to every sensitive post !!!