Obviously I know it’s impossible for something ever to be 100% secure, however I would like some outside opinions on this. I have a Lenovo Desktop that I bought just over 5 months ago. It seemed like a good idea at the time, but I’ve been reading that Lenovo has a lot of security flaws. I uninstalled all the software, although I don’t know if that does much if I’m still using the firmware/hardware that came with the computer. All I want to know is if Lenovo is known to collect data through their firmware/hardware, and if so is there anyway to prevent them from doing so. I’ve been searching all over online for this and can’t find anything useful.
I remember a few years ago there was a problem with Lenovo adding adware to their firmware but I haven’t heard anything more recently. Always a possibility though, Intel doing something with ME in its chipsets. To be honest you could say the same of most hardware vendors. It’s very difficult to know exactly how far you can trust them, which is why assuming compromise is always the best policy.
After typing this reply, I noticed that @Plum already covered what I am saying here using many fewer words. Hopefully, the following is not redundant and can instead serve to expand upon what @Plum has said.
Although Lenovo has historically been a trusted company for corporate and personal security alike, in the past decade its reputation has been sullied by a number of frankly unacceptable scandals. Among them include the fact that in 2015, some Lenovo computers came pre-installed with adware called Superfish, which “injects advertisements into users’ browsers and impersonates security certificates”, acting as a man in the middle. It was effectively malware. Even Lenovo eventually labelled it a “vulnerability” and provided instructions for how to uninstall it. This was not before it became the subject of a class-action lawsuit, however, whose initial settlement costed the company $1 million, then $3.5 million, then $7.3 million, but which was eventually finalized at $8.3 million with 32 states.
Later that same year, some Lenovo computers were discovered to be shipping with a “utility” called the Lenovo Service Engine, which leverages Microsoft Windows to update and reinstall both itself and software by Lenovo even when they are uninstalled, which has earned it the characterization of being a “rootkit” or “‘rootkit’-style covert installer”.
Incidentally, in 2013 (before all the above incidents), it was reported that Lenovo was banned from use in the spy agencies of multiple nation-states over concerns about the possibility of Chinese backdoors and malware being surreptitiously installed on Lenovo devices. This ban has existed since the 2000s and may have been introduced in 2005 by Five Eyes agencies. Shortly after, in 2006, the State Department of the United States followed suit. Whether any of this was actually based on any concrete evidence, and not just used as a proxy for political tensions between the countries, is unclear. Maybe Lenovo was unfairly distrusted for merely being a Chinese company; this news came only a month after the Snowden revelations, so this may have been part of an attempt at changing the subject. Whatever the case may have been, Lenovo devices were still distrusted and decommissioned from work in spy agencies, so take from that what you will.
Since then, other parts of the United States government also began blacklisting Lenovo:
Lenovo products have been banned, investigated or deemed vulnerable by the State Department in 2006, the Department of Homeland Security in 2015, the Joint Chiefs of Staff Intelligence Directorate in 2016, and the DoD Information Network in 2018. (source)
Most of the United States government apparently does not trust Lenovo computers at all, though its reasons are unclear and its evidence for those reasons is lacking. The extent to which you trust the United States government (and consider the Chinese government a threat) may be what determines how much this will matter to you, though.
So, should you trust Lenovo products? That’s your call to make. I distrust the infrastructure, and personally extend that to the endpoint as well, so I do not trust Lenovo—or, put differently, I do not have faith that the company will unwaveringly protect my interests. But do I trust Lenovo significantly less than others? Honestly, not really, so I do not try to avoid Lenovo products like I would if I did.
Given what I liked about Lenovo products in the first place, however, I would probably not use one made after 2013 and so would have to buy a pre-owned computer. But that is not a security assessment so much as it is a personal preference for powerful and ruggedized business laptops that can be almost completely disassembled with only a few basic tools, something exceedingly rare in today’s consumer technologies.
Lastly, on data collection through firmware and hardware, I am unaware of any publicly documented evidence of that. At that level, however, you have far more notorious attack vectors to worry about, such as a malicious Intel Management Engine. Whatever threat something like a malicious Intel ME may pose to you is unlikely to be coming from Lenovo, unless you assume Lenovo to engage in mass supply-chain attacks at the behest of an entity like the Chinese government. Barring that, Lenovo’s culpability in any such potential threat is probably low to nonexistent, especially since that would otherwise expose Lenovo to much more than just another class-action lawsuit.
I come at this from a different standpoint.
For Qubes Certified hardware, Insurgo has a ‘modified Lenovo X-230.’
Insurgo is very open to explaining those modifications, and how other users could do them. It is a goal of Insurgo to help others, in other parts of the world, produce these computers.
As I could not afford to buy one, I bought a Lenovo X230 and fiddled some.
I discovered that one of the things that Lenovo did, is to have a BIOS which limits one to certain original Intel components. Like the WiFi Chip. If one uses the latest BIOS firmware from Lenovo/Intel, the computer will not boot unless it has the Intel WiFi Chip that originally came with Lenovo X230. The reason being that the part of the basic Intel chip, which Intel can remotely change without telling me, or me knowing, can use that Intel Wifi chip. Not another WiFi Chip inside machine.
Meaning, Lenovo modified MOBO firmware, for a computer they no longer manufacture, to limit my using another WiFi chip. Yeah, we could blame Intel, but Lenovo, ‘In My Opinion’ is showing its true colors. The other consideration is that the entire computer world is coming down on manufacturers to Lock Down their computers so Malware can not be installed on it.
I know a Computer Repair person who was talking about Apple doing something to lock the firmware to limit their computer being only used by the Apple OS.
Coming back to the Lenovo X230, remember Insurgo has modified theirs, by Installing Core Boot. Also replacing the WiFi Chip to an Atheros WiFi Chip. I made the change by using 1vyrain.
Seems to me that if Core Boot could be installed on a lot of other Laptops, then those Laptops would also be Qubes candidates.
Anyway. I do not trust Intel. Intel long ago installed a method to change the programming of their BIOS, for what I assume is not in my best interest. And kept it secret. They modified the upgrade to the BIOS to lock the firmware so I could not stop it from being changed, against my knowledge, and I assume my best interest.
Only by Modifying the Lenovo X-230 might it be secure. The X530 which can be similarly modified as the X230.
Even after spending over a hundred dollars to upgrade the RAM to 16 GB and more $$ buying what seems like a decent SSD, Qubes runs pretty slowly. Lenovo X 230 seems willing to run all the other versions of Linux without having to add firmware Modules to the OS. Including the Pure OS, which runs much faster.
I feel Lenovo and Intel have displayed their true intent. Make up your own mind.
Just putting this here:
Another Pentagon supplier that received attention was China’s Lenovo Group Ltd. In 2008, U.S. investigators found that military units in Iraq were using Lenovo laptops in which the hardware had been altered. The discovery surfaced later in little-noticed testimony during a U.S. criminal case—a rare public description of a Chinese hardware hack.
“A large amount of Lenovo laptops were sold to the U.S. military that had a chip encrypted on the motherboard that would record all the data that was being inputted into that laptop and send it back to China,” Lee Chieffalo, who managed a Marine network operations center near Fallujah, Iraq, testified during that 2010 case. “That was a huge security breach. We don’t have any idea how much data they got, but we had to take all those systems off the network.”
EDIT / SORRY. I just saw that @sven had posted about this same issue in a new post. I hadn’t checked the most recent posts before I posted this piece of info.
x230 being the staple of the firmware (BIOS) modding community is sounding increasingly like an unfortunate historical accident.
Either way, we can’t rely on x230 forever, especially if you’re avoiding second hand computers. Are any of the modders like osresearch (Heads) looking at newer machines, or are newer CPUs too hack-resistant? What about AMD or ARM?