After Lenovo got into a heavy mess back in February regarding its Superfish software, an adware that could possibly steal personal data, another security breach on the company's products has recently been discovered.
This time around, a program called "Lenovo Service Engine" is in question. First found by Ars Technica forum users, the service automatically downloads and installs what the company allegedly calls "optimization software." This reportedly aims to enhance the system firmware and drivers, and help the PC to run more smoothly.
While this does not sound like anything alarming, this is where the scary part comes in: it has been discovered that the Lenovo Service Engine does not cease to exist even when the system is wiped clean. If a system is running on Windows 7 or 8, the BIOS of the laptop looks for a file called "autochk.exe," and checks if it is signed by Microsoft or Lenovo. The system then overwrites the file with its own on every boot. Moreover, LSE was found to collect data from the user, and sends it to a Lenovo server, which were allegedly used for telemetry purposes.
In light of the problem, Lenovo defended itself, saying that there are no personable identifiable information collected by the program. Also, the company has since provided a fix for the issue, removing the said rootkit. The patch however is a manual download, and cannot be automatically acquired.
While the issue is indeed a disconcerting security breach, the technique that Lenovo employed for the program was actually powered by Microsoft's Platform Binary Table feature. This enables PC manufacturers to load up whatever software they want for their computers. Upon discovery of the breach, the description of the Binary Table program on its website was modified, saying that the program exists to allow critical programs like anti-theft software to persist even when a clean install was performed. Furthermore, Lenovo's approach was said to be inconsistent with Microsoft's security guidelines, and it was also widely unknown to its users.
A number of Lenovo laptops are affected; you can check if your device is affected here.
Lenovo has since offered a statement, saying that all devices made from June onward have a BIOS that takes care of the security vulnerability. They also stated that LSE is no longer installed on their PC's.