Manufacturer Included Malware

When we buy a computer we are necessarily trusting the manufacturer to some extent. One of the things we trust the manufacturer to do is deliver a system free of malware. This trust isn’t always properly placed since many manufacturers include a lot of software that is indistinguishable from malware but we usually trust the manufacturer to not make that malware persistent. What happens when the manufacturer not only includes malware but also makes it so persistent that a clean installation of Windows won’t remove it?

Windows 8 and Windows 10 contain a surprising feature that many users will find unwelcome: PC OEMs can embed a Windows executable in their system firmware. Windows 8 and 10 will then extract this executable during boot time and run it automatically. In this way, the OEM can inject software onto a Windows machine even if the operating system was cleanly installed.

The good news is that most OEMs fortunately do not seem to take advantage of this feature. The bad news is that “most” is not “all.” Between October 2014 and April of this year, Lenovo used this feature to preinstall software onto certain Lenovo desktop and laptop systems, calling the feature the “Lenovo Service Engine.”


Making this rather worse is that LSE and/or OKO appear to be insecure. Security issues, including buffer overflows and insecure network connections, were reported to Lenovo and Microsoft by researcher Roel Schouwenberg in April. In response, Lenovo has stopped including LSE on new systems (the company says that systems built since June should be clean). It has provided firmware updates for affected laptops and issued instructions on how to disable the option on desktops and clean up the LSE files.

This is an example of a manufacturer using a legitimate feature for nefarious purposes. The feature, as far as Microsoft intended it, was meant to be an anti-theft measure:

And in its own awful way, it’s a feature that makes sense. The underlying mechanism is simple enough; the firmware constructs tables of system information when the machine boots. The operating system then examines these tables to, for example, learn what hardware is installed in the machine and how it is connected. This is all governed by a specification called ACPI, Advanced Configuration and Power Interface. Microsoft defined a new ACPI table, the Windows Platform Binary Table (WPBT), that contains information about a firmware-embedded executable. When it boots, Windows looks for a WPBT. If it finds one, it copies the executable onto the filesystem and runs it.

The primary purpose of WPBT is the automatic installation of anti-theft software. This kind of software typically does a couple of things that require online connectivity: it can phone home to check if it’s been reported stolen (and brick or otherwise disable itself if it has), and it can phone home to simply report where it is to aid recovery of lost or stolen hardware.

Instead Lenovo used it to ensure the pre-install software that comes with the laptop, which was insecure, would always be installed even if the user did a clean install with a Windows disc. That’s pretty scummy behavior. Fortunately Lenovo appears to have stopped doing this but trust, as far as I’m concerned, has already been breached.