- Developer Dmytro Oleksiuk posted details of the flaw to GitHub
- Lenovo has pinned the blame on Intel and outside contractors
- One Twitter user has claimed that his HP laptop is also affected
Lenovo has owned up to the existence of a critical security vulnerability in the firmware of many of its laptops. After teasing it on Twitter on June 29, developer and self-described “unethical hacker” Dmytro Oleksiuk posted details of the vulnerability on GitHub. Commentators have quickly dubbed the issue ‘ThinkPwn’ although it now seems to be common to other hardware vendors.
According to Oleksiuk, the flaw affects a large number of Lenovo’s ThinkPad models going back several years. He claimed to have verified it on a ThinkPad X220, which launched in 2011. He has provided snippets of code and instructions on his GitHub post so that others can detect the vulnerability on systems they have access to.
The flaw allows remote attackers to disable write protection on a device’s firmware and gain access to the System Management Mode, which is intended to be a secure environment for approved code to be run in. This must be done by physically accessing the device, which at least limits the scope of the attack. However, once that is done, an attacker can remotely disable the Secure Boot feature found in most modern UEFI BIOSes which verifies the integrity of the OS. Rootkits can then be introduced into a compromised system, allowing attackers to spy on them and take control of them remotely. Software security features designed to protect a person or company’s credentials can also be compromised.
The company has issued an initial security advisory, LEN-8324, in which it says it is working on a solution as quickly as possible. According to the statement, Lenovo tried to contact the independent researcher who claimed knowledge of the problem, but he published it without any coordination. The statement goes on to state that Lenovo has identified vulnerable parts of its System Management Mode code, but pins the blame on “at least one of our Independent BIOS Vendors (IBVs)” – software companies to which Lenovo outsources the development of its custom BIOS firmware – as well as Intel, which created the common code base that IBVs work with.
Oleksiuk has tweeted that Lenovo only demanded that he not release his findings, and statements on his GitHub accuse the company of “copy-pasting” Intel’s reference code for 8-series chipsets. He also makes a passing note that the code could have been crafted intentionally for use as a backdoor. This heavily suggests that Lenovo isn’t the only company whose products are affected by the flaw, and at least one Twitter user has tweeted Oleksiuk with purported evidence that at least one HP laptop model is vulnerable.
Lenovo says it is working to identify the author of that specific piece of code, implying that it was not a mistake but put in purposefully. Functions such as remote administration have been known to expose controls of computer systems to unintended people either due to security lapses or poor judgment.
Lenovo has had several security problems of late, including revelations that it deliberately shipped PCs with spyware as well as easily compromised adware and other bloat preinstalled.