Spy agencies ban Lenovo PCs on security grounds (opens in new tab)

(afr.com)

112 pointsrlvesco712y ago79 comments

79 comments

47 comments · 16 top-level

glesica12y ago· 10 in thread

Wait, so they'll still buy a Dell or HP that is manufactured in China, by a Chinese company, but has the nameplate of an American company slapped on the front, but they won't buy a Lenovo? I'm so confused.

harshreality12y ago

You're confused because you didn't read the article very well. It's reporting allegations of specifically identified malicious elements of Lenovo hardware and firmware.

1 more reply

samspenc12y ago

IMHO, there's a big difference between American companies that manufacture in China and can ensure certain functionality (I for one support "made in USA" and buy that if I can)... and Chinese companies, esp. ones with CCP connections, who can build electronics any which way they would like to.

nawitus12y ago

>I for one support "made in USA" and buy that if I can

I'd never understood this kind of nationalism. I don't care if the items I purchase happen to have been made in the country I happen to live. I want to buy the product that best suits my needs regardless of where it was manufactured.

Sure, if an American product happens to have a higher quality and I'm looking for that, then I can choose to buy it. In that case you can abstract away the manufacturing country, so "made in country X" shouldn't be a factor in any case.

If anything, Western people should buy products from poor countries. It's the best aid they can get.

8 more replies

glesica12y ago

How can Dell check for back doors when the entire design and manufacturing process is done by Chinese subcontractors? That makes no sense...

2 more replies

dhughes12y ago

Careful marketing is tricky the phrase "made in America" may not mean what you think it means. I'd say you're looking for "Product of USA" which means a totally different thing i.e. actually made in the USA.

I know here in Canada on investigative consumer shows it's been shown "made in" may simply mean a product was assembled from parts made in another country or maybe 51% of the product was made in your country.

Preying on a person's nationalistic feelings is a powerful marketing tool to get people to buy a product.

rhizome12y ago

The fact is that "oh no, CHINA!" has most-favored-nation status with the US and is a major major partner in pretty much every way, including positive ones. The rending of garments like this is just a couple of boardroom loudmouths posturing, like Facebook and Google taking potshots at each other. Competitors, not enemies.

huhtenberg12y ago

What makes you think they buy off-the-shelf Chinese-assembled Dells and HPs?

mhurron12y ago

If they weren't buying off the shelf computers to begin with this announcement wouldn't have been required.

glesica12y ago

I don't know for certain, but having dealt with Dell before (as an institutional customer), I know the government buys off-the-shelf Dells. Now, maybe the intelligence agencies have special arrangements, I don't know, but it seems unlikely to me. I'm sure they do more than just unpack the box and plop it onto the desk, but I doubt Dell or HP have special manufacturing facilities for intelligence agency machines.

1 more reply

Zakharov12y ago

The article never stated that they would do so.

tnuc12y ago· 5 in thread

This is the same bullshit that was thrown around when IBM sold off their PCs to Lenovo.

A British spy agency coming out with information like this but not in public? Sounds like bullshit to me.

Britain would be well advised to steer clear of US branded computers as the NSA might have access.

sounds12y ago

For US corporations and small businesses, a Lenovo laptop is definitely one of the first places to look for good linux compatibility.

Lenovo laptops are also among the only ones that are supported by coreboot.

You can't be sure you've found all the backdoors but by running coreboot+linux you can eliminate many of them.

Perhaps that's the reason the US Government is spreading FUD about Lenovo.

samstave12y ago

>...as the NSA might have access

Might?

Anyone recall how the USG was requiring backdoors into all routers/switches? I was told about this in 1997 from a Cisco employee who told me they were required to provide a method for the USG to be able to log into all devices they make.

superuser212y ago

This is documented. Routers are required to have the ability to intercept traffic in response to a warrant, but the router's administrator must manually create an intercept and grant the government access to data. There is no "backdoor."

http://www.cisco.com/en/US/docs/ios-xml/ios/sec_usr_cfg/conf...

schoen12y ago

It's possible that they were talking about CALEA, which has some wiretap capability mandates on hardware (and associated technical standards).

If I had the choice between communicating over CALEA-compliant or non-CALEA-compliant infrastructure, I would far prefer the latter, but these particular backdoors aren't required to operate in an automatic, unattended, or surreptitious way (though some implementations might well have bugs that allow them to do so).

mrweasel12y ago

USG? I've seen that show up quite often the last couple of days, but never explained. Google says it's USG Corporation or University System of Georgia.

2 more replies

guelo12y ago· 4 in thread

> The alleged presence of these hardware “back doors” remains highly classified.

Why wouldn't they want to warn citizens and businesses about this?

darkchasma12y ago

I would guess that in the game of spy vs. spy, you never show your hand. If I declare that a chip has a backdoor, then the enemy knows, and won't use it. New chips and doors will be created. But if I sit on it, then the bad guys may try something, and you can intercept it, or defend against it, or even exploit it yourself.

mpyne12y ago

Bingo. As Mortal Kombat 3 said (for some reason), "There is no Knowledge, which is not Power".

caf12y ago

...or allow them to exfiltrate planted information.

SkyMarshal12y ago

This could be an intentional "leak" to do just that.

harshreality12y ago· 3 in thread

From the article, for the commenters who don't seem to have read it and have a side discussion going about "how do we know Dell or HP hardware isn't compromised?" (answer: nobody knows that, but that's not the reason for the article)...

The ban [on Lenovo hardware for classified networks by multiple western intel agencies] was introduced in the mid-2000s after intensive laboratory testing of its equipment allegedly documented “back-door” hardware and “firmware” vulnerabilities in Lenovo chips.

DanBC12y ago

This is fascinating to me.

There are six countries mentioned - China, US, UK, Australia, New Zealand, and Canada.

Do each of those know the actual exploits, or do they just know that exploits exist and to not use these computers?

Assuming they all know, that's a lot of people who can have scary access to Lenovos. I'd be interested to see if that's going to affect the generally good image Lenovo had. My old thinkpad has a bunch of nice security stuff. I still think it's the most secure computer I use, certainly more tamper proof than most other machines I use.

imrehg12y ago

I have a Lenovo X201, would love to see some details, and try to "hack" my own computer, to see what's there.

Very little information about the actual details in the article. If really was a backdoor there and publicly banning a company because of that, wouldn't it make more sense to show the results publicly too? Otherwise it feels more like FUD than responsible research.

minor_nitwit12y ago

US, UK, Australia, New Zealand, and Canada are the Five Eyes.

http://en.wikipedia.org/wiki/Five_Eyes

ihsw12y ago· 2 in thread

One can also interpret this as Lenovo refusing to install American backdoors that Western-sourced devices have, but that's entering conspiracy-theory territory...

chrischen12y ago

We're already in conspiracy-theory territory.

lifeisstillgood12y ago

Just lean back and enjoy the view :-)

harrytuttle12y ago· 2 in thread

Seriously, shit or get off the pot.

Its speculation and posturing until there is evidence.

It sounds more like someone is not happy they're not in control of the hardware.

CaveTech12y ago

Posturing so that they can convince others that it's true. And then shovel their own chips filled with backdoors.

It's sad to admit, but I would be more suspecting of an American computer than a Chinese one at this point. Constantly pointing their fingers and everyone else so they can do the same things when everyone has their back turned.

rhizome12y ago

Not to mention that these spy agencies will pass the information to each other no problem, as long as the price is right. Maybe that's what this is, though: a tell that (perhaps due to recent developments in the US intelligence sphere) China has raised its prices.

kazagistar12y ago· 2 in thread

Only sane way to reduce the risk of back doors is to have proper open architecture for at least the basic motherboard functionality, and then fully utilize IOMMU to limit what the devices can do.

... hahahaha, yeah right.

marshray12y ago

Believe it or not, I recently got a new Lenovo laptop with the intention of IOMMU-ing it as much as I can internally.

I haven't let it talk to a network or much USB yet, so I'm hoping it's still secure.

kazagistar12y ago

Very interesting actually. I would enjoy reading about how well you manage to pull that off; it seemed to me that support for IOMMU is still broken in both software and firmware, but I very well might be wrong.

1 more reply

bowlofpetunias12y ago· 2 in thread

Given that the rest of the planet is more worries about American spying, I wonder if Apple may want to rethink their "made in California" slogan.

mhurron12y ago

Their slogan is to target jingoists who look at 'made in america' as something special.

The slogan is "Designed by Apple in California." The new MacPro will be able to add 'Assembled in the US' if they wish, and I expect that they will.

It's still all made in China, but flag wavers get to ignore that. Apple is not the only company that does this.

zachrose12y ago

I also suspect that "Designed by Apple in California" puts their name between two words that have positive associations around the world. (I'm assuming here that "California" is held in higher regard than "America" or "United States".)

revelation12y ago· 1 in thread

Banning Lenovos PCs seems somewhat unreasonable, given that they are made mostly from parts you can buy on Newegg that are not suspicious, running Windows.

The actual risk is in infrastructure, stuff like Huawei routers or telephone backends, most of which today are a fully functional computer on their own, with generally no access for the end consumer.

harrytuttle12y ago

Windows is a bigger problem, especially when they admitted to handing zero days over to the TLAs (three letter agencies) before patching.

er0k12y ago

Jonathan Brossard gave a great talk about this at defcon last year. Around the 2:30 mark in the video he talks a bit about the idea of China backdooring hardware.

http://www.youtube.com/watch?v=yRxDvkKBMTc

http://www.slideshare.net/endrazine/defcon-hardware-backdoor...

http://www.scribd.com/doc/101181012/Rakshasa-Whitepaper

samspenc12y ago

Finally. Given how Huawei routers are riddled with "Security 101" vulnerabilities [1], I doubt that Lenovo is any better.

[1] http://news.cnet.com/8301-1009_3-57482813-83/expert-huawei-r...

lifeisstillgood12y ago

If this is not a reason for government backed Open Source hardware I don't know what is. If you know the hardware design you can check it

And I am willing to bet there is a way to take a circuit "fingerprint"

wil42112y ago

They are only paranoid because they know they have introduced backdoors into products their countries produce. Do you really think the US/UK/AUS has not introduced something into a Cisco product or some other hardware manufacturer in their respective country.

Just look at what has come to light with the PRISM program. They already have access to the major software companies what makes people think they havent done some secret FISA order to Dell/Cisco/HP/Apple etc.

edit: typo

keithpeter12y ago

OK, so Lenovo is not being bought.

What is? Anyone got any information?

Most UK govt/corporate types I see have Thinkpads and and a Civil Service Blackberry but they are not covert.

RexRollman12y ago

Considering the pressure the US is applying to gain access to people's data, I think I am equally critical of anything from from a US company.

lsiebert12y ago

So are these alleged hw backdoors low level enough that os doesn't matter?

j / k navigate · click thread line to collapse

79 comments

47 comments · 16 top-level

glesica12y ago· 10 in thread

harshreality12y ago

You're confused because you didn't read the article very well. It's reporting allegations of specifically identified malicious elements of Lenovo hardware and firmware.

1 more reply

samspenc12y ago

nawitus12y ago

>I for one support "made in USA" and buy that if I can

If anything, Western people should buy products from poor countries. It's the best aid they can get.

8 more replies

glesica12y ago

How can Dell check for back doors when the entire design and manufacturing process is done by Chinese subcontractors? That makes no sense...

2 more replies

dhughes12y ago

Preying on a person's nationalistic feelings is a powerful marketing tool to get people to buy a product.

rhizome12y ago

huhtenberg12y ago

What makes you think they buy off-the-shelf Chinese-assembled Dells and HPs?

mhurron12y ago

If they weren't buying off the shelf computers to begin with this announcement wouldn't have been required.

glesica12y ago

1 more reply

Zakharov12y ago

The article never stated that they would do so.

tnuc12y ago· 5 in thread

This is the same bullshit that was thrown around when IBM sold off their PCs to Lenovo.

A British spy agency coming out with information like this but not in public? Sounds like bullshit to me.

Britain would be well advised to steer clear of US branded computers as the NSA might have access.

sounds12y ago

For US corporations and small businesses, a Lenovo laptop is definitely one of the first places to look for good linux compatibility.

Lenovo laptops are also among the only ones that are supported by coreboot.

You can't be sure you've found all the backdoors but by running coreboot+linux you can eliminate many of them.

Perhaps that's the reason the US Government is spreading FUD about Lenovo.

samstave12y ago

>...as the NSA might have access

Might?

superuser212y ago

http://www.cisco.com/en/US/docs/ios-xml/ios/sec_usr_cfg/conf...

schoen12y ago

It's possible that they were talking about CALEA, which has some wiretap capability mandates on hardware (and associated technical standards).

mrweasel12y ago

USG? I've seen that show up quite often the last couple of days, but never explained. Google says it's USG Corporation or University System of Georgia.

2 more replies

guelo12y ago· 4 in thread

> The alleged presence of these hardware “back doors” remains highly classified.

Why wouldn't they want to warn citizens and businesses about this?

darkchasma12y ago

mpyne12y ago

Bingo. As Mortal Kombat 3 said (for some reason), "There is no Knowledge, which is not Power".

caf12y ago

...or allow them to exfiltrate planted information.

SkyMarshal12y ago

This could be an intentional "leak" to do just that.

harshreality12y ago· 3 in thread

DanBC12y ago

This is fascinating to me.

There are six countries mentioned - China, US, UK, Australia, New Zealand, and Canada.

Do each of those know the actual exploits, or do they just know that exploits exist and to not use these computers?

imrehg12y ago

I have a Lenovo X201, would love to see some details, and try to "hack" my own computer, to see what's there.

minor_nitwit12y ago

US, UK, Australia, New Zealand, and Canada are the Five Eyes.

http://en.wikipedia.org/wiki/Five_Eyes

ihsw12y ago· 2 in thread

One can also interpret this as Lenovo refusing to install American backdoors that Western-sourced devices have, but that's entering conspiracy-theory territory...

chrischen12y ago

We're already in conspiracy-theory territory.

lifeisstillgood12y ago

Just lean back and enjoy the view :-)

harrytuttle12y ago· 2 in thread

Seriously, shit or get off the pot.

Its speculation and posturing until there is evidence.

It sounds more like someone is not happy they're not in control of the hardware.

CaveTech12y ago

Posturing so that they can convince others that it's true. And then shovel their own chips filled with backdoors.

rhizome12y ago

kazagistar12y ago· 2 in thread

Only sane way to reduce the risk of back doors is to have proper open architecture for at least the basic motherboard functionality, and then fully utilize IOMMU to limit what the devices can do.

... hahahaha, yeah right.

marshray12y ago

Believe it or not, I recently got a new Lenovo laptop with the intention of IOMMU-ing it as much as I can internally.

I haven't let it talk to a network or much USB yet, so I'm hoping it's still secure.

kazagistar12y ago

1 more reply

bowlofpetunias12y ago· 2 in thread

Given that the rest of the planet is more worries about American spying, I wonder if Apple may want to rethink their "made in California" slogan.

mhurron12y ago

Their slogan is to target jingoists who look at 'made in america' as something special.

The slogan is "Designed by Apple in California." The new MacPro will be able to add 'Assembled in the US' if they wish, and I expect that they will.

It's still all made in China, but flag wavers get to ignore that. Apple is not the only company that does this.

zachrose12y ago

revelation12y ago· 1 in thread

Banning Lenovos PCs seems somewhat unreasonable, given that they are made mostly from parts you can buy on Newegg that are not suspicious, running Windows.

The actual risk is in infrastructure, stuff like Huawei routers or telephone backends, most of which today are a fully functional computer on their own, with generally no access for the end consumer.

harrytuttle12y ago

Windows is a bigger problem, especially when they admitted to handing zero days over to the TLAs (three letter agencies) before patching.

er0k12y ago

Jonathan Brossard gave a great talk about this at defcon last year. Around the 2:30 mark in the video he talks a bit about the idea of China backdooring hardware.

http://www.youtube.com/watch?v=yRxDvkKBMTc

http://www.slideshare.net/endrazine/defcon-hardware-backdoor...

http://www.scribd.com/doc/101181012/Rakshasa-Whitepaper

samspenc12y ago

Finally. Given how Huawei routers are riddled with "Security 101" vulnerabilities [1], I doubt that Lenovo is any better.

[1] http://news.cnet.com/8301-1009_3-57482813-83/expert-huawei-r...

lifeisstillgood12y ago

If this is not a reason for government backed Open Source hardware I don't know what is. If you know the hardware design you can check it

And I am willing to bet there is a way to take a circuit "fingerprint"

wil42112y ago

edit: typo

keithpeter12y ago

OK, so Lenovo is not being bought.

What is? Anyone got any information?

Most UK govt/corporate types I see have Thinkpads and and a Civil Service Blackberry but they are not covert.

RexRollman12y ago

Considering the pressure the US is applying to gain access to people's data, I think I am equally critical of anything from from a US company.

lsiebert12y ago

So are these alleged hw backdoors low level enough that os doesn't matter?

j / k navigate · click thread line to collapse