Spy agencies ban Lenovo PCs on security concerns

Spy agencies ban Lenovo PCs on security concerns

Christopher Joye, Paul Smith and John Kerin

Computers manufactured by the world’s biggest personal computer maker, Lenovo, have been banned from the “secret” and ‘‘top secret” networks of the intelligence and defence services of Australia, the US, Britain, Canada, and New Zealand, because of concerns they are vulnerable to being hacked.

Multiple intelligence and defence sources in Britain and Australia confirmed there is a written ban on computers made by the Chinese company being used in “classified” networks.

The ban was introduced in the mid-2000s after intensive laboratory testing of its equipment allegedly documented “back-door” hardware and “firmware” vulnerabilities in Lenovo chips. A Department of Defence spokesman confirmed Lenovo products have never been accredited for Australia’s secret or top secret networks.

The classified ban highlights concerns about security threats posed by “malicious circuits” and insecure firmware in chips produced in China by companies with close government ties. Firmware is the interface between a computer’s hardware and its operating system.

Lenovo, which is headquartered in Beijing, acquired IBM’s PC business in 2005.

IBM continues to sell servers and mainframes that are accredited for secret and top-secret networks. A Defence spokesman said Lenovo had never sought accreditation.

The Chinese Academy of Sciences, a government entity, owns 38 per cent of Legend Holdings, which in turn owns 34 per cent of Lenovo and is its largest shareholder.
Malicious modifications to Lenovo’s circuitry

AFR Weekend has been told British intelligence agencies’ laboratories took a lead role in the research into Lenovo’s products.

Members of the British and Australian defence and intelligence communities say that malicious modifications to Lenovo’s circuitry – beyond more typical vulnerabilities or “zero-days” in its software – were discovered that could allow people to remotely access devices without the users’ knowledge. The alleged presence of these hardware “back doors” remains highly classified.

In a statement, Lenovo said it was unaware of the ban. The company said its “products have been found time and time again to be reliable and secure by our enterprise and public sector customers and we always welcome their engagement to ensure we are meeting their security needs”.

Lenovo remains a significant supplier of computers for “unclassified” government networks across western nations, including Australia and New Zealand’s defence departments.

A technology expert at the Washington-based Brookings Institution, Professor John Villasenor, said the globalisation of the semi-conductor market has “made it not only possible but inevitable that chips that have been intentionally and maliciously altered to contain hidden ‘Trojan’ circuitry will be inserted into the supply chain.

“These Trojan circuits can then be triggered months or years later to launch attacks,” he said.
Hardware back doors can be very hard to detect

A security analyst at tech research firm IBRS, James Turner, said hardware back doors are very hard to detect if well designed.

They were often created to look like a minor design or manufacturing fault, he said. To avoid detection, they are left latent until activated by a remote transmission.

“Most organisations do not have the resources to detect this style of infiltration. It takes a highly specialised laboratory to run a battery of tests to truly put hardware and software through its paces,” Mr Turner said. “The fact that Lenovo kit is barred from classified networks is significant, and something the private sector should look at closely.”

Professor Villasenor said malicious circuitry known as “kill-switches” can be used to stop devices working and to establish back doors. French defence contractors reportedly installed kill-switches into chips that can be remotely tripped if their products fall into the wrong hands.

AFR Weekend has been told the electronic eavesdropping arms of the “five eyes” western intelligence alliance, including the National Security Agency in the US, GCHQ in the UK, and the Defence Signals Directorate in Australia, have physically connected parts of their secret and top secret computer networks to allow direct communications between them. This means that security bans on the use of products within the secret networks are normally implemented across all five nations. Two commonly used suppliers are Dell and Hewlett-Packard.

The ban on Lenovo computers also applies to Britain’s domestic and foreign security services, MI5 and MI6, and their domestic equivalents: the Australian Security Intelligence Organisation and the Australian Secret Intelligence Service.
Not connected with foreign counterparts

In contrast to the other agencies, ASIO’s top secret network, called “TSNet”, is compartmentalised and not connected with foreign counterparts because of its counter-intelligence role.

All these secret-level defence and intelligence networks are “air-gapped”, which means they are physically separated from the internet to minimise security risks. ASIO, ASIS, and DSD are colloquially known as Channel 10, The Other DFAT and The Factory. An academic expert on computer hardware implants, Professor Farinaz Koushanfar at Rice University’s Adaptive Computing and Embedded Systems Lab, said the NSA was “incredibly concerned about state-sponsored malicious circuitry and the counterfeit circuitry found on a widespread basis in US defence systems”.

“I’ve personally met with people inside the NSA who have told me that they’ve been working on numerous real-world cases of malicious implants for years,” she said.

“But these are all highly classified programs.”

Australia’s defence department runs three networks managed by the Chief Information Officer Group: the Defence Restricted Network; the Defence Secret Network; and the Top Secret Network.

The DRN is not classified and is linked to the internet via secure gateways. The DSN and TSN are air-gapped and off limits to Lenovo devices. An official with clearance to access all three networks can switch between them using a diode, called the Interactive Link, connected to a single computer. Previously officials used multiple desktops connected to individual networks.
Anti-China trade sentiment

In 2006 it was disclosed that the US State Department had decided not to use 16,000 new Lenovo computers on classified networks because of security concerns.

The change in procurement policy was attributed to anti-China trade sentiment after Lenovo’s acquisition of IBM’s PC business.

Some experts argue that blocking specific companies from classified networks is not a panacea for security threats given the global nature of supply chains.

Many western vendors have semiconductor fabrication plants, or “foundries”, based in China, which exposes them to the risk of interference.

Huawei Technologies made the same argument in response to the Australian government’s decision to exclude it from the National Broadband Network. Huawei says a better approach would be to evaluate all products in a single forum overseen by security agencies.

The Lenovo revelations follow allegations in The Australian Financial Review last week by the former head of the CIA and NSA, Michael Hayden, that Huawei spies for the Chinese government. Huawei officials and China’s Australian embassy strenuously denied these claims.

 

I don't know about thinkpad but If you are talking about lenovo consumer brand notebooks such as ideapad or their value line, they have a big security weakness. You can press F12 to enter boot menu after machine started. In boot menu screen you can choose to boot from another sources (optical drive, USB drive, or PXE). So the boot order setting in BIOS is useless in this case. I believe this was made for user convenience but the problem is it can't be disabled. From the time I bought my first lenovo 5 years ago, this function is still there today.

 

You can exclude every single booting device in BIOS and THEN lock it with a Supervisor password. Problem solved.

There's more to the story above than just that.

 

Not all lenovo notebooks have bios option to exclude boot device. My old lenovo definitely doesn't have this option. But I believe most of thinkpad have it.

 

Well, government in any shape or form was known for using ThinkPads and not IdeaPads, Value Line models etc. And *all* ThinkPads built in the past decade had this option - I can't say anything about the *30 series - since I refuse to touch one...

Furthermore, you will find a number of government-ordered ThinkPads that were built in either U.S. or Mexico, even when Lenovo was already in charge. I own several from various eras.

 

This is even sillier than the issues currently going on with Huawei and ZTE and US government networking equipment. While they're at it, they might as well ban all computers and phones since so many of their components are assembled in China as well. And, in lieu of straying into politics, I'll just leave it at that.

 

This accusation does not make much sense. Most other laptops from US brands are made in China as well so technically they are also at risk for exploitations. In fact, if you turn over a Dell Precision M4700 laptop, it says "Made in China" underneath it.

 

Lenovo, HP, Dell, Apple, all that... I don't see why Lenovo is made out to be a special case, other than "Roughly 13% (38% of 34%) owned by a company that's owned by the Chinese government." But, as MidnightSun said, if being partly connected to China is a concern, we might as well go back to typewritters and snail mail for communication.

 

Almost every computer had a key that will do just that.
It is not "lenovo".

 

BBC News - Kremlin security agency to buy typewriters 'to avoid leaks'

 

This goes much deeper than some boot-up options - that's almost comical, it goes beyond what 99.99% of the people on this forum including myself (I have a background in network security) know or can understand. These gov agencies are talking about modification being made at the chipset/hardware level on the motherboards.

The reason Lenovo is being targeted is because of the high % stake owned by the Chinese government and not having been certified for top secret use. Obviously computer scientists and engineers working for the government have studied the motherboards, every chip including the firmware and come to the conclusion that some of these chips either don't need to be there or have malicious/suspect code inside them which makes them vulnerable to backdoor attacks, this information would be classified.

Hence, there is little point in us speculating or wondering why AUS, GB, USA etc have banned Lenovo from their TS networks. One thing you can be sure is they had valid grounds to do so.

Whatever scrutineering process these governments put the hardware on their top-secret networks through, Lenovo failed it and some other manufacturers didn't. Why... you will never know.

 

In US the fed government and closely related companies only use HP, Dell (and maybe Apple) and it has been this way for many years. I know since I work for one of them.

Meanwhile a best friend of mine at Goldman Sachs has a thinkpad at work. Does it mean that GS care less about security? Don't think so.

 

"Many years" would roughly equal the time that IBM sold its PC Division to Lenovo...plus another year or two, on certain levels, maybe...

There are different levels of concern involved here...I'm not certain that one could quantify it as "less" and/or "more"...

 

As mentioned by ajkula, you can't compare the security concerns of the NSA, ASIO, CIA etc to that of a private company i.e. Goldmans. It doesn't mean Goldmans doesn't care about security but when it comes to the mentioned agencies and national security, we are talking a different ball game all together .

Unless you worked in a security team for one of the mentioned US Gov agencies, which I doubt - or you wouldn't even be discussing these matters in an open forum, then you wouldn't have any idea what their security concerns are - no disrespect intended.

Do the CIA, ASIO etc care more about security than some private company... not so much a question of do they care more, I think they just throw a hell of a lot more resources at the problem because they can, and the stakes are much greater if security is compromised.

 

Yeah, you wouldn't -- either way, good or bad, firm or loose, robust or flaky...

Making copies of corporate/governmental files -- most likely innocent-looking Excel spreadsheets -- and keeping them in notebooks that can be readily stolen? Happens. Defeats all the security policies and mechanisms, don't you think?

 

1. How is this different from Apple having backdoors in *All* of their iCrap?
2. I have nothing to hide on my PC. I doubt the Chineese gov. would want my schoolwork/video game saves/travel pictures.
3. Windows OS has *plenty* of backdoors.
4. Im pretty sure every other PC maker has a Backdoor

 

All because you have nothing to hide, doesn't necessary mean you have anything to show. I have nothing to hide as well, though I'd be royally ticked off if someone in government wanted to search through my computer sans warrant "just because". Not sure how I feel on Chinese spying though, since they don't have any influence over my daily life like the US or state does.

 

If you can tell you're being spied and whether the spying affects you, it's definitely not spying.

Such a sheltered life. Enjoy it while you can.

 

Idk, maybe they will kidnapped you for experiment if they find you interesting.

 

That's my point Kaso, no one here including myself (which I said earlier) would really know the actual reasons for why ASIO, CIA etc banned Lenovo, that information would be classified. Hence it makes it kinda silly trying to say well why is Apple not banned or XYZ brand. We don't have all the facts and never will. We just trust that the governments had a good reason for doing it.