• Home
  • Laptops
  • Laptops News
  • Critical 'ThinkPwn' Security Flaw Found in Lenovo Laptops; Other Manufacturers Potentially Vulnerable

Critical 'ThinkPwn' Security Flaw Found in Lenovo Laptops; Other Manufacturers Potentially Vulnerable

Share on Facebook Tweet Share Reddit Comment
Critical 'ThinkPwn' Security Flaw Found in Lenovo Laptops; Other Manufacturers Potentially Vulnerable
Highlights
  • Developer Dmytro Oleksiuk posted details of the flaw to GitHub
  • Lenovo has pinned the blame on Intel and outside contractors
  • One Twitter user has claimed that his HP laptop is also affected
Lenovo has owned up to the existence of a critical security vulnerability in the firmware of many of its laptops. After teasing it on Twitter on June 29, developer and self-described "unethical hacker" Dmytro Oleksiuk posted details of the vulnerability on GitHub. Commentators have quickly dubbed the issue 'ThinkPwn' although it now seems to be common to other hardware vendors.

According to Oleksiuk, the flaw affects a large number of Lenovo's ThinkPad models going back several years. He claimed to have verified it on a ThinkPad X220, which launched in 2011. He has provided snippets of code and instructions on his GitHub post so that others can detect the vulnerability on systems they have access to.

The flaw allows remote attackers to disable write protection on a device's firmware and gain access to the System Management Mode, which is intended to be a secure environment for approved code to be run in. This must be done by physically accessing the device, which at least limits the scope of the attack. However, once that is done, an attacker can remotely disable the Secure Boot feature found in most modern UEFI BIOSes which verifies the integrity of the OS. Rootkits can then be introduced into a compromised system, allowing attackers to spy on them and take control of them remotely. Software security features designed to protect a person or company's credentials can also be compromised.

The company has issued an initial security advisory, LEN-8324, in which it says it is working on a solution as quickly as possible. According to the statement, Lenovo tried to contact the independent researcher who claimed knowledge of the problem, but he published it without any coordination. The statement goes on to state that Lenovo has identified vulnerable parts of its System Management Mode code, but pins the blame on "at least one of our Independent BIOS Vendors (IBVs)" - software companies to which Lenovo outsources the development of its custom BIOS firmware - as well as Intel, which created the common code base that IBVs work with.

Oleksiuk has tweeted that Lenovo only demanded that he not release his findings, and statements on his GitHub accuse the company of "copy-pasting" Intel's reference code for 8-series chipsets. He also makes a passing note that the code could have been crafted intentionally for use as a backdoor. This heavily suggests that Lenovo isn't the only company whose products are affected by the flaw, and at least one Twitter user has tweeted Oleksiuk with purported evidence that at least one HP laptop model is vulnerable.

Lenovo says it is working to identify the author of that specific piece of code, implying that it was not a mistake but put in purposefully. Functions such as remote administration have been known to expose controls of computer systems to unintended people either due to security lapses or poor judgment.

Lenovo has had several security problems of late, including revelations that it deliberately shipped PCs with spyware as well as easily compromised adware and other bloat preinstalled.

Comments

For the latest tech news and reviews, follow Gadgets 360 on Twitter, Facebook, and subscribe to our YouTube channel.

Jamshed Avari

Jamshed Avari has been working in tech journalism as a writer, editor and reviewer for over 13 years. He has reviewed hundreds of products ranging from smartphones and tablets to PC components and accessories, and has also written guides, feature articles, news and analyses. Going beyond simple ratings and specifications, he digs deep into how emerging products and services affect actual users, and what marks they leave on our cultural landscape. He's happiest when something new comes ...More

TCL 560 First Impressions
Drones That Visually Coordinate on Their Own Soon
 
 

Advertisement

 

Advertisement