As the saying goes, fool me once shame on you, fool me twice shame on me. Lenovo is putting that idiom to the test. According to a report by the BBC a “massive security risk” of Lenovo devices has been found by researchers. This news comes only months after the ‘superfish’ news in which preinstalled adware created security issues.
There are a number of security flaws that were uncovered by IOActive. First, according to the researchers attackers could “bypass signature validation checks and replace trusted Lenovo applications with malicious applications." This would allow people to hack a public Wi-Fi network and “exploit this to swap Lenovo's executables with a malicious executable.” These are often referred to as “coffee shop attacks.”
Second, people could utilize the security flaw to “gain elevated permissions.” In the report they state that
“A local attacker could exploit this to perform a local privilege escalation by waiting for the System Update to verify the signature of the executable, and then swapping out the executable with a malicious version before the System Update is able to run the executable. When the System Update gets around to running the executable, it will run the malicious version, thinking it was the executable that it had already verified.”
These security flaws stem from the fact that “The Lenovo System Update allows least privileged users to perform system updates.” This means that attackers can act as if they were a privileged user and perform system updates.
There is a bit of good news to all of this. There has been a patch released to fix these reported issues. IOActive discovered reported the issues to Lenovo in February and a patch to fix them was released on April 3, 2015.
This is another blow to the integrity and security of Lenovo. It will be interesting to see how repeated security risks affect their bottom line.