Dispatches From The Geeks

News and Announcements from the MCS Systems Group

Thinking of purchasing a Thinkpad?

Ever since IBM sold off its laptop line to Lenovo, I’ve been a little wary. Not paranoid wary, mind you, but as my role as a Cyber Security Program Representative (CSPR) at Argonne, I’ve been cautiously wary.

This wariness was not eased with each revelation of spyware installed on Lenovo laptops, including instances of it actually being installed in BIOS. I remained wary, but noted in each case the bad behavior was limited to the "consumer" line of laptops – the same lower-quality laptops they were making before the IBM PC/Laptop acquisition. I believed they would treat the Think line as sacrosanct, since it came with a customer base that was almost entirely business-based and one that was more sensitive to this type of behavior. I didn’t think they’d do anything to jeopardize that relationship.

Today, that changed. News came out of a Lenovo Thinkpad shipped with pre-installed spyware. This is a shame, since I’m still generally of the opinion that if you don’t get a Mac, the Thinkpad is the best laptop you can lay hands on.

Now this story (linked below), has a number of caveats, the main one being this was a refurbished unit. However, it indicates that a line Lenovo had previously seemed to be treating as sacred has been crossed. I don’t think, from a cyber security standpoint nor from a privacy standpoint, it’s a safe bet to trust the default software install on Lenovo laptops going forward.

Most users in CELS are running Macs, or are running Linux on their laptops. At this point (and I am carefully noting this is a personal recommendation from me and not yet a lab policy), if you wish to buy a Lenovo laptop, I strongly recommend replacing the default OS with a known safe build of either your own design or one supplied by us in Systems. If you’re going to install Linux on it, you’re probably just fine (though that’s by no means guaranteed to always be the case). If you want to run Windows, I’d recommend going with one of the Argonne-recommended laptops from Dell’s offerings. If you really want a Lenovo, and really want to run Windows, let us go over the machine before you take it on and make sure it’s running trusted software.

At some point, it wouldn’t surprise me if these spyware vectors changed and started to affect various Linux builds via BIOS infiltration methods, or possibly even hardware-level sniffing and capture methods. I don’t think it’s *likely*, but I wouldn’t be surprised.

Thanks.

Lenovo BIOS software installation: http://arstechnica.com/information-technology/2015/08/lenovo-used-windows-anti-theft-feature-to-install-persistent-crapware/

Thinkpad Spyware: http://www.computerworld.com/article/2984889/windows-pcs/lenovo-collects-usage-data-on-thinkpad-thinkcentre-and-thinkstation-pcs.html

Advertisements

Written by Craig Stacey

September 23, 2015 at 8:14 pm

Posted in Uncategorized

%d bloggers like this: