Lenovo’s PCs spy for China


(The hue and cry over the Superfish malware has forced the company to issue a tool to users of Lenovo PCs that are preloaded with the malicious ” adware.” It is neither simple nor straightforward, and requires multiple steps. If you have a commercial antivirus software program they’ve probably already sent you a fix, usually directing you to Lenovo’s site. Or Lenovo might have already contacted you directly.

As to whether after removal, your PC remains vulnerable, I will cover that in my next article. Right now, it is too soon to tell.)

* * * * *

Did you know that the Lenovo PC or laptop sitting on your work desk likely has firmware and components built into it that allow the Chinese government to spy on you?

These include components such as malicious circuits, tiny antennas, and firmware that allow back door access to the computer and to the network that it’s connected to.

These threats, details of which remain sketchy because they are classified secret, are considered serious enough that spy agencies, notably those of the U.S., Canada, Britain, Australia, and New Zealand (collectively called the Five Eyes), have enforced bans on the use of the popular PCs by these countries’ intelligence services and the private contractors that deal with them.

Trusted Name

Lenovo, which bought IBM’s ThinkPad line in the mid 2000s, was thus catapulted into being one of the largest and most popular computer makers in the world. Their IT hardware is widely used in homes and businesses. But since a Senate committee issued a report on the threat, it appears that even private companies have cause to fear malicious chips and circuit boards stealing financial and trade secrets. Among the dangers, these hidden digital weapons of stealth could be used to throw a kill switch, bringing down entire networks, but the back door they provide could be used for more nuanced, nefarious purposes, such as remote manipulation of proprietary economic data.

Remember, China regards itself as being at war with the West both in political doctrine and in commerce.

China has long aroused fears among Western intelligence agencies concerning its focus on development of cyber warfare capabilities. Most of these concerns center on Trojans, viruses and other malicious software meant to scoop up information that would be employed by the Chinese foreign intelligence service.

Banned By Law

The ban by Western spy agencies was put in place in the late 2000s, shortly after the malicious hardware was detected. Although Lenovo insists it was not aware of the ban, 16,000 ThinkPads purchased by the U.S. State Department were declared too compromised to be used in secure information and communication channels.

Farinas Koushhanfar, a professor at Rice University’s Adaptive Computing and Embedded Systems Lab told Information Week that the NSA “was incredibly concerned about state-sponsored malicious circuitry and the counterfeit circuitry found on a widespread basis in U.S. defense systems.”

“I’ve personally met with people inside the NSA who have told me that they’ve been working on numerous real-world cases of malicious implants for years. But these are all highly classified programs,” he said.
In other words, U.S. intelligence services were aware of the threat, but kept it secret, declining to go public with the information ’til they could assess the extent of and possible uses of the data China was collecting.

But Lenovo isn’t the only culprit.

It’s not just Lenovo

Chinese phone manufacturers Huawei and ZTE have also fallen under suspicion. A report drafted by the House of Representatives Permanent Select Committee on Intelligence issued a ban on government agencies purchasing or using equipment from both manufacturers, and strongly urged U.S. companies to do the same, saying these companies’ products posed serious national security risks.

The Five Eyes alliance, composed of the national security agencies of the five countries mentioned above, have all banned the use of Lenovo PCs and servers. This is because many of the classified networks of the five nations are interconnected.

Despite the ban on the most sensitive of these networks, Lenovo will continue to provide significant IT resources to other government agencies in these countries. Tests of Lenovo computers were conducted and the suspicious components were identified ten years ago, yet the news is just breaking now, suggesting the governments and their intelligence agencies never shared their information with the private sector ’til they were outed by the Senate committee’s report. Lenovo remains the leading global PC maker.


Spy Games

Intelligence analysts say they needed time to confirm the presence of the spying hardware, though others say the Western intelligence services wanted to study the technology, reverse engineer it, and also to feed the Chinese intelligence apparatus false information to both confirm its presence and to gauge Chinese reactions to the false data it was receiving.

Lenovo is a globally traded company with headquarters in both Beijing and North Carolina, but its major shareholder is Legend Holdings, a company partly owned by the Chinese Academy of Sciences, the home of China’s cyber warfare unit.

Even privately held companies in China are under suspicion because the Communist Party openly operates within them, enforcing political conformity among both the management and the workers.

Superfish, Superspy

As if it couldn’t get any worse regarding the efforts of electronic spying by the Chinese, and following on the heels of the revelations of the malicious hardware built into their products, news broke that Lenovo has been pre-installing a tracking software called Superfish, which uses image algorithms to monitor what users are looking at. What is especially creepy about Superfish is that it effectively and completely destroys current standards of security on the Internet.

The stated purpose of the software is to gather usage data to push relevant ads to the user, but how it does this is by cutting the secure link between your machine and the vendors you are making purchases from online or transacting with online banking. Superfish will hijack all your secure web connections by using self-signed root certificate authority, making it look legitimate to the browser.

In other words, Superfish fools your system into believing it has made a secure connection, when in fact it has not, and your sensitive data is being tracked, recorded and made available to whoever happens to be monitoring your activity.

Superfish is so powerful that even removing the software does not patch the security breach.

Oops, We Got Caught

At first unrepentant, the company, after the news became widespread, now is cowtowing to an enraged public. “We messed up badly here. We made a mistake,” said the company’s Chief Technology Officer.
There are several points to be made here. One, Superfish is so powerful that if it were to have been developed by a Western national government it would have been classified as ordnance-level software, and kept classified, likely for use against the Chinese, or even for covert domestic surveillance.

It’s so powerful that it is military grade, and must have had the support and aid of the Chinese Cyber Warfare unit in developing it, just as the U.S. and Israeli governments cooperated on development of the Stuxnet computer worm designed specifically to sabotage the Iranian nuclear development program.

Two, nobody should presume that their right to privacy is being observed by either foreign or domestic governments, or commercial entities.

Three, the U.S. and its allies are just as fully engaged in cyber warfare, in both defensive and offensive modes, as the Chinese, and the Russians. We’ve been caught with our pants down more than a few times, as former NSA contractor turned whistleblower Edward Snowden has revealed.

Can’t happen here?

It’s unlikely that the U.S. government could partner with a private computer manufacturer to make each of their products such efficient spying devices, but it would be premature and naive to assume no collaboration between industry and government has taken or will take place.

In fact it already has, as the major telecoms, and Google and Yahoo, have handed over to the government millions of records of private communications, without objection or the need for a court order.

As blogger Simon Black wrote, “There are very few if any big institutions we can trust anymore. And maybe that’s how it should be. It’s a shark-filled world with people who do bad things. Perhaps it’s all the better that a trusted brand becomes the poster child for betrayal. Because if Lenovo is doing this, are we supposed to be so naïve to presume that Google, Apple, AT&T, etc are not?”